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Abstract: This paper presents general syntactic conditions ensuring the strong normal- 
ization and the logical consistency of the Calculus of Algebraic Constructions, an exten- 
sion of the Calculus of Constructions with functions and predicates defined by higher- 
order rewrite rules. On the one hand, the Calculus of Constructions is a powerful type 
system in which one can formalize the propositions and natural deduction proofs of higher- 
order logic. On the other hand, rewriting is a simple and powerful computation paradigm. 
The combination of both allows, among other things, to develop formal proofs with a re- 
duced size and more automation compared with more traditional proof assistants. The 
main novelty is to consider a general form of rewriting at the predicate-level which gen- 
eralizes the strong elimination of the Calculus of Inductive Constructions. 



1. Introduction 

This work aims at defining an expressive language allowing to specify and prove math- 
ematical properties easily. The quest for such a language started with Girard' system F 
(Girard 1972) on the one hand and De Bruijn's Automath project (De Bruijn 1968) on the 
other hand. Later, Coquand and Huet combined both calculi into the Calculus of Con- 
structions (CC) (Coquand 1985). As in system F, in CC, data types are defined through 
impredicative encodings that are difficult to use in practice. So, following Martin-Lof's 
theory of types (Martin-L6f 1984), Coquand and Paulin-Mohring defined an extension of 
CC with inductive types and their associated induction principles as first-class objects, 
the Calculus of Inductive Constructions (CIC) (Coquand and Paulin-Mohring 1988), 
which is the basis of the proof-assistant Coq (Coq Development Team 2002). 

However, defining functions or predicates by induction is not always convenient. More- 
over, with such definitions, equational reasoning is uneasy and leads to very large proof 
terms. Yet, for decidable theories, equational proofs need not to be kept in proof terms. 
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This idea that proving is not only reasoning (undecidable) but also computing (decid- 
able) has been recently formalized in a general way by Dowek, Hardin and Kirchner with 
the Natural Deduction Modulo (NDM) for first-order logic (Dowek et al. 1998). 

A more convenient and powerful way of defining functions and predicates is by using 
rewrite rules (Dershowitz and Jouannaud 1990). This notion is very old but its study 
really began in the 70's with Knuth and Bendix (Bendix and Knuth 1970) for knowing 
whether, in a given equational theory, an equation is valid or not. Then, rewriting was 
quickly used as a programming paradigm (see (Dershowitz and Jouannaud 1990)) since 
any computable function can be defined by rewrite rules. 

In the following sub-sections, we present in more details our motivations for extending 
CIC with rewriting, the previous works on the combination of A-calculus and rewriting, 
and our own contributions. 

1.1. Advantages of rewriting 

In CIC, functions and predicates can be defined by induction on inductively defined 
types. The case of the type nat of natural numbers, defined from : not (zero) and 
s : nat nat (successor function), yields Godel' system T: a function / : nat =4> t is 
defined by giving a pair of terms (u,v), written (rec u v), where u : r is the value of 
/(0) and v : nat =>• t => t is a function which computes the value of f(n + 1) from n 
and f(n). Computations proceeds by applying the following (higher-order) rewrite rules, 
called L-reduction: 

rec u v — > t u 
rec u v (s n) — > t v n (rec u v n) 

For instance, addition can be defined by the term Xxy.(rec u v x) with u = y and 
v = \nr.s{r) (definition by induction on x). Then, one can check that:* 

2 + 2 — >^ rec 2 v 2 — > t v 1 [rec 2 v 1) — >^ s(rec 2 v 1) 
-> t s(v (rec 2 v 0)) s(s(rec 2 v 0)) -> t s(s(2)) = 4 

Proofs by induction are formalized in the same way: if P is a predicate on natural 
numbers, u a proof of PQ and v a proof of (n : nat)Pn => P(sn)* then rec P u v is a 
proof of (n : nat)Pn, and i-reduction corresponds to the elimination of induction cuts. 
In fact, (rec u v) is nothing but a particular case of (rec P u v) with the non-dependent 
predicate P — Xn.r. 

In addition, deduction steps are made modulo /3t-equivalence§ , that is, if ir is a proof 
of P and P —p L Q, then it is also a proof of Q. For instance, if it is a proof of P(2 + 2), 
then it is also a proof of P(4), as one would naturally expect. The verification that a 
term ir is indeed a proof of a proposition P, called type-checking, is decidable since pi is 
a confluent (the order of computations does not matter) and strongly normalizing (there 
is no infinite computation) relation (Werner 1994). 

t — **g is the transitive closure of the /3-reduction relation: (Xx.t u) — >p u{x i— ► (}. 
* As often in type systems, we denote universal quantification over a type T by (x : T). 
§ Reflexive, symmetric and transitive closure of the /3t-reduction relation (which is the union of the f3 
and i reduction relations). 
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Although the introduction of inductive types and their induction principles as first- 
class objects is a big step towards a greater usability of proof assistants, we are going 
to see that the restriction of function definitions to definitions by induction, and the 
restriction of type conversion to /3t-equivalence, have several important drawbacks. The 
use of rewriting, that is, the ability of defining functions by giving a set of rewrite rules 
TZ, and the possibility of doing deductions modulo /37?.-equivalence, can remedy these 
problems. It appears that t-reduction itself is nothing but a particular case of higher- 
order rewriting (Klop et al. 1993; Nipkow 1991) where, as opposed to first-order rewriting, 
the constructions of the A-calculus (application, abstraction and product) can be used 
in the right hand-sides of rules. ' A common example of a higher-order definition is the 
function map which applies a function / to each element of a list: 

map f nil — ► nil 
map f (cons x £) — ► cons (/ x) (map f £) 
where nil stands for the empty list and cons for the function adding an element at the 
head of a list. 

Easier definitions. First of all, with rewriting, definitions are easier. For instance, 
addition can be defined by simply giving the rules: 

+ y -> y 

(s x)+y -> s (x + y) 
Then, we have 2 + 2 — > s(2 + 1) — » s(s(2 + 0)) — > s(s(2)) = 4. Of course, one can make 
the definitions by induction look like this one, as it is the case in Coq (Coq Development 
Team 2002), but this is not always possible. For instance, the definition by induction of 
the comparison function < on natural numbers requires the use of two recursors: 

Xx.rec (Xy.true) (Xnry.rec false (Xn'r'.rn') y) x 

while the definition by rewriting is simply: 

< y — > true 
s x < — > false 
s x < s y — > x < y 

More efficient computations. From a computational point of view, definitions by 
rewriting can be more efficient, although the process of selecting an applicable rule may 
have a higher cost (Augustsson 1985). For example, since + is defined by induction on 
its first argument, the computation of n + requires n + 1 reduction steps. By adding 
the rule x + — > x, this takes only one step. 

Quotient types. Rewriting allows us to formalize some quotient types in a simple way, 
without requiring any additional extension (Barthe and Geuvers 1995; Courtieu 2001), 
by simply considering rewrite rules on constructors, which is forbidden in CIC since 
constructors must be free in this system. For instance, integers can be formalized by 
taking for zero, p for predecessor and s for successor, together with the rules: 

' We will not consider higher-order pattern-matching here although it should be possible as we show it 
for the simply- typed A-calculus in (Blanqui 2000). 
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s (p x) — > x 
p (s x) — > x 

This technique applies to any type whose constructors satisfy a set of equations that 
can be turned into a confluent and strongly normalizing rewrite system (Jouannaud and 
Kounalis 1986). 

More automation. We previously saw that, in CIC, if P is a predicate on natural 
numbers, then P(2 + 2) is /3t-equivalent to P (4) and, hence, that a proof of P(2 + 2) 
is also a proof of P(4). This means that proving P(4) from P(2 + 2) does not require 
any argument: this is automatically done by the system. But, because functions must 
be defined by induction, this does not work anymore for computations on open terms: 
since + is defined by induction on its first argument, P(x + 2) is not /3t-equivalent to 
P(s(s(x))). Proving P(s(s(x))) from P(x + 2) requires a user interaction for proving that 
x + 2 is equal to s(s(x)), which requires induction. 

We may even go further and turn some lemmas into simplification rules. Let us for 
instance consider the multiplication on natural numbers: 

Oxi/ ^ 
(s x) x y — > y + (x x y) 

Then, the distributivity of the addition over the multiplication can be turned into the 
rewrite rule: 

(x + y) x z — > (x x z) + (y x z) 

hence allowing the system to prove more equalities and more lemmas automatically by 
simply checking the /37?.-equivalence with already proved statements. In the case of an 
equality u = v, it suffices to check whether it is /^-equivalent to the instance u = u 
of the identity axiom, which is the same as checking whether u and v have the same 
/37?.-normal form. 

Smaller proofs. Another important consequence of considering a richer equivalence 
relation on types is that it reduces the size of proofs, which is currently an important 
limitation in proof assistants like Coq. For instance, while the proof of P(s(s(x))) requires 
the application of some substitution lemma in CIC, it is equal to the proof of P(x + 2) 
when rewriting is allowed. The benefit becomes very important with equality proofs, since 
they require the use of many lemmas in CIC (substitution, associativity, commutativity, 
etc.), while they reduce to reflexivity with rewriting (if one considers rewriting modulo 
associativity and commutativity (Peterson and Stickel 1981)). 

More typable terms. The fact that some terms are not /3t-equivalent as one would 
expect has another unfortunate consequence: some apparently well-formed propositions 
are rejected by the system. Take for instance the type list : (n : nat)* of lists of length 
n with the constructors nil : HstO and cons : nat (n : nat)listn list(sn). Let 
app : (n : nat)listn => (n 1 : nat)listn' => list(n + n') be the concatenation function on 
list. If, as usual, app is defined by induction on its first argument then, surprisingly, the 
following propositions are not typable in CIC: 
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app n £ £' = £ 

app (n + n') {app n I n' £') n" I" = app n I (n' + n") {app n' £' n" £") 
In the first equation, the left hand-side is of type list(n + 0) and the right hand-side is 
of type listn. Although one can prove that n + = n holds for any n in nat, the equality 
is not well-typed since n + is not /3t-convertible to n (only terms of equivalent types 
can be equal). 

In the second equation, the left hand-side is of type list{{n + n') + n") and the right 
hand-side is of type list{n+ {n'+n")). Again, although one can prove that {n + n') + n" = 
n + {n' + n") holds for any n, n' and n" in nat, the two terms are not /^-convertible. 
Therefore, the proposition is not well-formed. 

On the other hand, by adding the rules x + — > x and {x + y) + z —> x + (y + z), the 
previous propositions become well-typed as expected. 

Integration of decision procedures. One can also define predicates by rewrite rules 
or having simplification rules on propositions, hence generalizing the definitions by strong 
elimination in CIC. For example, one can consider the set of rules of Figure 1 (Hsiang 
1982) where © (exclusive "or") and A are commutative and associative symbols, _L rep- 
resents the proposition always false and T the proposition always true. 



Fig. 1. Decision procedure for classical propositional tautologies 

Pel -> p 

p®p -> ± 

P AT — > P 

PA1 1 

PAP -> P 

PA(QQ>R) -> (P A Q) ® {P A R) 



Hsiang (Hsiang 1982) showed that this system is confluent and strongly normalizing, 
and that a proposition P is a tautology {i.e. is always true) iff P reduces to T. So, 
assuming type-checking in CC extended with this rewrite system remains decidable, then, 
to know whether a proposition P is a tautology, it is sufficient to submit an arbitrary 
proof of T to the verification program. We would not only gain in automation but also 
in the size of proofs (any tautology would have a proof of constant size) . 

We can also imagine simplification rules on equalities like the ones of Figure 2 where 
+ and x are associative and commutative, and = commutative. 



Fig. 2. Simplification rules on equality 

x — x — * T 



s x — s y — > x — y 

x + y — — > x — 0Ay = 
x x y = — > x = 0Viy = 
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1.2. Problems 

We saw that rewriting has numerous advantages over induction but it is not clear to 
which extent rewriting can be added to powerful type systems like the Calculus of Con- 
structions (CC) without compromising the decidability of type-checking and the log- 
ical consistency. Furthermore, since rewrite rules are user-defined, it is not clear also 
whether f3H-e(\\A valence/normalization can be made as efficient as a fixed system with 
/3t-reduction only (Gregoire and Leroy 2002), although some works on rewriting seem 
very promising (Eker 1996; Kirchner and Moreau 2001). 

Since we want to consider deductions modulo /^-equivalence, we at least need this 
equivalence to be decidable. The usual way of proving the decidability of such an equiv- 
alence relation is by proving confluence and strong normalization of the corresponding 
reduction relation. Since these properties are not decidable in general, we will look for 
decidable sufficient conditions as general as possible. 

As for the logical consistency, we cannot deduce it from normalization anymore as it is 
the case in CC (Barendregt 1992), since adding function symbols and rewrite rules is like 
adding hypothesis and equality /equivalence axioms. Therefore, for logical consistency 
also, we will look for sufficient conditions as general as possible. 

In the following sub-section, we present a short history of the different results obtained 
so far on the combination of /3-reduction and rewriting. Then, we will present our own 
contributions. 

1.3. Previous works 

The first work on the combination of typed A-calculus and (first-order) rewriting is due 
to Breazu-Tannen in 1988 (Breazu-Tannen 1988). He showed that the combination of 
simply- typed A-calculus and first-order rewriting is confluent if rewriting is confluent. In 
1989, Breazu-Tannen and Gallier (Breazu-Tannen and Gallier 1989), and Okada (Okada 
1989) independently, showed that the strong normalization also is preserved. These re- 
sults were extended by Dougherty (Dougherty 1991) to any "stable" set of pure A-terms. 
The combination of first-order rewriting and Pure Type Systems (PTS) (Geuvers and 
Nederhof 1991; Barendregt 1992) was also studied by several authors (Barbanera 1990; 
Barthe and Mellies 1996; Barthe and van Raamsdonk 1997; Barthe 1998). 

In 1991, Jouannaud and Okada (Jouannaud and Okada 1991) extended the result of 
Breazu-Tannen and Gallier to the higher-order rewrite systems satisfying the General 
Schema, an extension of primitive recursion to the simply-typed A-calculus. With higher- 
order rewriting, strong normalization becomes more difficult to prove since there is a 
strong interaction between rewriting and /3-reduction, which is not the case with first- 
order rewriting. 

In 1993, Barbanera, Fernandez and Geuvers (Barbanera et al. 1994; Fernandez 1993) 
extended the proof of Jouannaud and Okada to the Calculus of Constructions (CC) with 
object-level rewriting and simply-typed function symbols. The methods used so far for 
non-dependent type systems (Breazu-Tannen and Gallier 1989; Dougherty 1991) cannot 
be applied to dependent type systems like CC since, in this case, rewriting is included in 
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the type conversion rule and, thus, allows more terms to be typable. This was extended 
to PTS's in (Barthe and Geuvers 1995). 

Other methods for proving strong normalization appeared. In 1993, Van de Pol (Van 
de Pol 1993; Van de Pol and Schwichtenberg 1995; Van de Pol 1996) extended to the 
simply-typed A-calculus the use of monotonic interpretations. In 1999, Jouannaud and 
Rubio (Jouannaud and Rubio 1999) extended the Recursive Path Ordering (RPO) to 
the simply-typed A-calculus. 

In all these works, even the ones on CC, function symbols are always simply typed. It 
was Coquand (Coquand 1992) in 1992 who initiated the study of rewriting with depen- 
dent and polymorphic symbols. He studied the completeness of definitions with dependent 
types. He proposed a schema more general than the schema of Jouannaud and Okada 
since it allows inductive definitions on strictly-positive types, but it does not necessarily 
imply strong normalization. In 1996, Gimenez (Gimenez 1996; Gimenez 1998) defined 
a restriction of this schema for which he proved strong normalization. In 1999, Jouan- 
naud, Okada and the author (Blanqui et al. 2002; Blanqui et al. 1999) extended the 
General Schema in order to deal with strictly-positive types while still keeping simply- 
typed symbols. Finally, in 2000, Walukiewicz (Walukiewicz 2000; Walukiewicz-Chrzqszcz 
2002) extended Jouannaud and Rubio's HORPO to CC with dependent and polymorphic 
symbols. 

All these works share a strong restriction: rewriting is restricted to the object level. 

In 1998, Dowek, Hardin and Kirchner (Dowek et al. 1998) proposed a new approach 
to deduction for first-order logic: Natural Deduction Modulo (NDM) a congruence = on 
propositions representing the intermediate computations between two deduction steps. 
This deduction system consists in replacing the usual rules of Natural Deduction by 
equivalent rules modulo =. For instance, the elimination rule for =4> (modus ponens) 
becomes: 

r h R r h P 

FFq (*-(^«)) 

They proved that the simple theory of types (Dowek et al. 2001) and skolemized set 
theory can be seen as first-order theories modulo congruences using explicit substitutions 
(Abadi et al. 1991). In (Dowek and Werner 1998; Dowek and Werner 2000), Dowek and 
Werner gave several conditions ensuring strong normalization of cut elimination in NDM. 



1.4. Contributions 

Our main contribution is to establish general conditions ensuring the strong normal- 
ization of the Calculus of Constructions (CC) extended with predicate-level rewriting 
(Blanqui 2001). In (Blanqui 2001), we show that these conditions are satisfied by most 
of the Calculus of Inductive Constructions (CIC) and by Natural Deduction Modulo 
(NDM) a large class of equational theories. 

Our work can be seen as an extension of both NDM and CC, where the congruence not 
only includes first-order rewriting but also higher-order rewriting since, in CC, functions 
and predicates can be applied to functions and predicates. 
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It can therefore serve as a basis for a powerful extension of proof assistants like Coq 
(Coq Development Team 2002) or LEGO (Luo and Pollack 1992) which allow defini- 
tions by induction only. For its implementation, it may be convenient to use specialized 
rewriting-based applications like CiME (Contejean et al. 2000), ELAN (Borovansky et 
al. 2000) or Maude (Clavel et al. 1999). Furthermore, for program extraction (Paulin- 
Mohring 1989), one can imagine using rewriting-based languages and hence get more 
efficient extracted programs. 

Considering predicate-level rewriting is not completely new. A particular case is the 
"strong elimination" of CIC, that is, the ability of defining predicates by induction on 
some inductively defined data type. The main novelty here is to consider arbitrary user- 
defined predicate-level rewrite rules. 

Therefore, for proving the strong normalization property, we cannot completely follow 
the methods of Werner (Werner 1994) and Altenkirch (Altenkirch 1993) since they use in 
an essential way the fact that function definitions are made by induction. And the meth- 
ods used in case of non-dependent first-order rewriting (Breazu-Tannen and Gallier 1989; 
Barbanera 1990; Dougherty 1991) cannot be applied because higher-order rewriting has 
a strong interaction with /^-reduction and because, in dependent type systems, rewriting 
allows more terms to be typable. Our method is based on the notion of reducibility can- 
didates of Tait and Girard (Girard et al. 1988) and extend Geuvers' method (Geuvers 
1994) for dealing with rewriting. 

Let us mention two other important contributions. 

For allowing some quotient types (rules on constructors) and matching on function 
symbols, which is not possible in CIC, we use a notion of constructor more general than 
the usual one (see Section 5.1). 

For ensuring the subject reduction property, that is, the preservation of typing under 
reduction, we introduce conditions more general than the ones used so far. In particular, 
these conditions allow us to get rid of non-linearities due to typing, which makes rewriting 
more efficient and confluence easier to prove (see Section 3). 

2. The Calculus of Algebraic Constructions 

The Calculus of Algebraic Constructions (CAC) is an extension of the Calculus of Con- 
structions (CC) (Coquand and Huet 1988) with function and predicate symbols defined 
by rewrite rules. 

2.1. Terms 

CC is a particular Pure Type System (PTS) (Barendregt 1992) defined from a set S = 
{*, □} of sorts. The sort * is intended to be the type of data types and propositions, 
while the sort □ is intended to be the type of predicate types (also called kinds). For 
instance, the type not of natural numbers is of type * is of type □, the predicate < on 
natural numbers is of type nat =>- nat => *, and not nat * is of type □. 
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The terms of CC are usually denned by the following grammar rule: 

t::=s\x\[x:t]t\(x: t)t \ tt 
where s is a sort, x a variable, [x : t]t an abstraction, (x : t)t a (dependent) product, and 
tt an application. We assume that the set X of variables is an infinite denumerable set 
disjoint from S. 

We simply extend CC by considering a denumerable set T of symbols, disjoint from S 
and X , and by adding the following new construction: 

*::=... | feT 

We denote by T{T, X) the set of terms built from T and X. Note that, in contrast with 
(Blanqui 2001), function symbols are curried. No notion of arity is required. 

2.2. Notations 

Free and bound variables. A variable x in the scope of an abstraction [x : T] or a 
product (x : T) is bound. As usual, it may be replaced by any other variable. This is 
a-equivalence. A variable which is not bound is free. We denote by FV(i) the set of free 
variables of a term t. A term without free variable is closed. We often denote by U => V 
a product (x : U)V with x FV(V) (non-dependent product). See (Barendregt 1992) 
for more details on these notions. 

Vectors. We often use vectors (t, u, . . .) for sequences of terms (or anything else). The size 
of a vector t is denoted by \t\. For instance, [x : T]u denotes the term [x\ : T{\ . . . [x n : T n ]u 
where n — \x\. 

Positions. To designate a subterm of a term, we use a system of positions a la Dewey 
(words over the alphabet of positive integers). Formally, the set Pos(t) of the positions 
in a term t is inductively defined as follows: 

- Pos(/) = Pos(s) = Pos(z) = {e}, 

- Pos((a; : t)u) = Pos{[x : t]u) = Pos(tw) = l.Pos(i) U 2.Pos(u), 

where e denotes the empty word and '.' the concatenation. We denote by t\ p the subterm 
of t at the position p, and by t[u] p the term obtained by replacing t\ p by u in t. The 
relation "is a subterm of" is denoted by <, and its strict part by <l. 

We denote by Pos(/, t) the set of positions p in t such that t\ p — /, and by Pos(x, t) 
the set of positions p in t such that t\ p is a free occurrence of x in t. 

Substitutions. A substitution 9 is an application from X to T whose domain dom(6') = 
{x e X | x6 ^ x] is finite. Its set of free variables is FV(0) = {j{FV{x6) | x G dom(6>)}. 
Applying a substitution 9 to a term t consists of replacing every variable x free in t 
by its image x9 (to avoid variable captures, bound variables must be distinct from free 
variables). The result is denoted by t9. We denote by {x i— ► t} the substitution which asso- 
ciates U to Xi, and by 9U{x i— ► t} the substitution which associates t to x and y9 toy ^ x. 

Relations. Let — > be a relation on terms. We denote by: 
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>(t) the set of terms t' such that t — » t' , 

- <— the inverse of — >, 

> + the smallest transitive relation containing — », 

>* the smallest reflexive and transitive relation containing — 

- ^* the smallest reflexive, transitive and symmetric relation containing — >, 

- | the relation — >* *<— (t J, « if there exists v such that t ^* w and u — ►* u). 

If t — > i' then we say that i rewrites to i'. If i ^* t' then we say that t reduces to 
t'. A relation — > is stable by context if u — ► u' implies t[u] p — > t[u'] p for all term t and 
position p € Pos(i). The relation — ► is stable by substitution if t — ► t' implies tfl — > i'6* for 
all substitution 0. 

The P-reduction (resp. rj-reduction) relation is the smallest relation stable by context 
and substitution containing [x : U]v u -^>p v{x i— > u} (resp. [x : t if x ^ FV(i)). 

A term of the form [a: : {/]« m (resp. [x : U]tx with a; ^ FV(t)) is a (3-redex (resp. r\-redex). 

A relation — > is weakly normalizing if, for all term i, there exists an irreducible term 
t' to which t reduces. We say that t' is a normal form of t. A relation — > is strongly 
normalizing (well-founded, ncetherian) if, for all term i, any reduction sequence issued 
from t is finite. 

The relation — > is locally confluent if, whenever a term < rewrites to two distinct terms 
u and f , then u J. t). The relation — ► is confluent if, whenever a term i reduces to two 
distinct terms u and v, then u J. u. 

If — > is locally confluent and strongly normalizing then — > is confluent (Newman's 
lemma) . If — > is confluent and weakly normalizing then every term t has a unique normal 
form denoted by t J.. 

Orderings. A precedence is a quasi-ordering on J 7 whose strict part is well-founded. Let 
>i, ...,>„ be orderings on the sets Ei, . . . , E n respectively. We denote by (>i, . . . , >„)i cx 
the lexicographic ordering on E\ x . . . x E n . Now, let > be an ordering on a set E. We 
denote by > mu i the ordering on finite multisets on E. An important property of these 
extensions is that they preserve well-foundedness. See (Baader and Nipkow 1998) for 
more details on these notions. 



2.3. Rewriting 

In first-order frameworks, that is, in a first-order term algebra, a rewrite rule is generally 
defined as a pair I — > r of terms such that I is not a variable and the variables occurring 
in r also occur in I (otherwise, rewriting does not terminate). Then, one says that a term 
t rewrites to a term t' at position p, written t -^> p t' , if there exists a substitution a such 
that t\ p = la and t' = t[ra] p . See (Dershowitz and Jouannaud 1990) for more details on 
(first-order) rewriting. 

Here, we consider a very similar rewriting mechanism by restricting left-hand sides of 
rules to be algebraic. On the other hand, right-hand sides can be arbitrary. This is a 
particular case of Combinatory Reduction System (CRS) (Klop et al. 1993) for which it 
is not necessary to use higher-order pattern-matching. However, we proved in (Blanqui 
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2000) that, in case of simply-typed A-calculus, our termination criteria can be adapted 
to rewriting with higher-order pattern-matching. 

Definition 1 (Rewriting) Terms only built from variables and applications of the form 
ft with / £ T are said algebraic. A rewrite rule is a pair of terms I — ► r such that I is 
algebraic, distinct from a variable and FV(r) C FV(7). A rule I —> r is left-linear if no 
variable occurs more than once in I. A rule I — ► r is non- duplicating if no variable has 
more occurences in r than in I. A rule fl^ris compatible with a precedence > if, for all 
symbol g occuring in r, / > g. 

Let K be a denumerable set of rewrite rules. The IZ-reduction relation is the 
smallest relation containing 1Z and stable by substitution and context. A term of the 
form la with I — ► r £ TZ is an IZ-redex. We assume that — is finitely branching. 

Given a set Q C JF, we denote by 72.0 the set of rules that define a symbol in Q, that 
is, whose left-hand side is headed by a symbol in Q. A symbol / is constant if lZ{f} = 0, 
otherwise it is (partially) defined. We denote by CJ- the set of constant symbols and by 
T>T the set of defined symbols. 

2.4. Typing 

We now define the set of well-typed terms. An environment T is a list of pairs x : T made 
of a variable x and a term T. We denote by the empty environment and by £{T, X) 
the set of environments built from T and X . The domain of an environment T, dom(F), 
is the set of variables x such that a pair x : T belongs to r. If x £ dom(r) then we 
denote by xT the first term T such that x : T belongs to V. The set of free variables in 
an environment T is FV(r) = lJ{FV(xr) | x £ dom(r)}. Given two environments T and 
r', r is included in T', written T C V', if all the elements of T occur in T' in the same 
order. 

Definition 2 (Typing) We assume that every variable x is equipped with a sort s x , 
that the set X s of variables of sort s is infinite, and that a-equivalence preserves sorts. 
Let FV s (t) = FV(t) n X s and dom s (r) = dom(r) n X s . We also assume that every 
symbol / is equipped with a sort Sf and a closed type 77 = (x : T)U such that, for all 
rule // — > r, |Z| < |a?|. We often write / : T for saying that 17 = T. 

The typing relation of a CAC is the smallest ternary relation h C 8 x T x T defined 
by the inference rules of Figure 3 where s, s' £ S. A term t is typable if there exists an 
environment T and a term T such that T h t : T (T is a iype of Hn T). In the following, 
we always assume that h 77 : s/ for all f £ T . 

An environment is naZid if a term is typable in it. A substitution 6 is well-typed from 
r io A, : T -v* A, if, for all ir £ dom(r), A h x6 : xT6. We denote by T C T T" the fact 
that T I T' and T h T' : s', and by T C r T' the fact that T C T T' and T h T : s. 

Compared with CC, we have a new rule, (symb), for typing symbols and, in the type 
conversion rule (conv), we have ip-jz (that we simply denote by J. in the rest of the paper) 
instead of the /3-conversion ^*p=lp (since (3 is confluent). 
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Fig. 3. Typing rules 

(ax) 

(symb) 



(prod) 
(abs) 
(app) 



h * : □ 
I" T f : s f 



(var) , (* t dom ( r)) 

r h t ■. t r h U : s x 
(w6ak) r,,:[/hi:T (^dom(r)) 



r h 17 : s r,x:UhV:s' 
rh(i: U)V : s> 

F,x:U\-v:V F h (x : U)V : s 
rh[i:U]ti:(i: U)V 

T\-t:(x: U)V Thu:U 
T\-tu: V{x ^ u} 



r h t : T T h T' : s' 
( conv ) F\-t-T' ^ T ^ m T ^ 



Well-typed substitutions enjoy the following important substitution property: if T \- 
t : T and 6 : V A then A h t6 : TO. 

The relations Cr (not symmetric) and Cr (symmetric) are useful when inverting typ- 
ing judgements. For instance, a derivation of V h uv : W' necessarily terminates by an 
application of the (app) rule, possibly followed by applications of the rules (weak) and 
(conv). Therefore, there exists V and W such that T h u : (x : V)W, T h v : V and 
W{x i — ^ v} Cp W. Since, in the (conv) rule, T is not required to be typable by some 
sort s (as it is the case for T"), it is not a priori the case that W{x >—> v} is typable and 
therefore that, in fact, W{x <—> v} Cf W . 

Many of the well-known basic properties of Pure Type Systems (PTS's) (Barendregt 
1992) also hold for CAC's. In (Blanqui 2001), we study these properties in an abstract 
way by considering a PTS equipped with an unspecified type conversion rule (instead 
of |/3 or 1/3JZ for instance), hence factorizing several previous proofs for different PTS 
extensions. The properties we use in this paper are: 

(type correctness) If T h t : T then either T = □ or T h T : s. 
(conversion correctness) If T h T : s and T Cf T 1 then r h T' : s. 
(convertibility of types) If T h t : T and r h t : T' then T Cf T". 
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Only convertibility of types requires confluence (conversion correctness is proved in Sec- 
tion 3.2 without using confluence). 

Among well-typed terms, we distinguish: 

- The set K of predicate types or kinds made of the terms K such that r h K : □ . It is 
easy to check that every predicate type is of the form (x : T)*. 

- The set P of predicates made of the terms T such that T h T : K and T h K : □ . 

- The set O of objects made of the terms t such that V h t : T and T h T : *. 

3. Subject reduction 

Before studying the strong normalization or the logical consistency of our system, we 
must make sure that the reduction relation — >pn is indeed correct w.r.t. typing, that is, 
if T h t : T and t -^pn t' then T\-t':T. This property is usually called subject reduction. 
Once it holds, it can be easily extended to types, environments and substitutions: 

- If T h t : T and T -> T' then T h t : T'. 

- If T h i : T and T -> V then V ht:T. 

- If : T ~* A and -> 0' then 6»' : T ~» A. 

In presence of dependent types and rewriting, the subject reduction for /3 appears to be 
a difficult problem. Indeed, in the case of a head-reduction [x : U']v u — >^ v{x i— > u) with 
r h [x : U']v : (x : U)V and T h u : [/, we must prove that T h w{a; u} : y{a; u}. 
By inversion, we have T,x : U' \- v : V with (x : U')V Cf (x : [7)V. We can conclude 
that T h v{x i ^ u} : y{x m} only if: 

(x : U')V £* T (x : U)V implies U' Cf U and V Cf iX:l7 V, 

a property that we call product compatibility. 

This is immediate as soon as — >pn is confluent. Unfortunately, there are very few 
results on the confluence of higher-order rewriting and /3-reduction together (see the 
discussion after Definition 29). Fortunately, confluence is not the only way to prove the 
product compatibility. In (Geuvers 1993), Geuvers proves the product compatibility for 
the Calculus of Constructions (CC) with as type conversion relation, although -^fi n 
is not confluent on untyped terms: [x : T]x [x : T]([y : U]y x) — >^ [y : U]y = a [x : U}x 
(Nederpelt 1973). And, in (Barbanera et al. 1997), Barbanera, Geuvers and Fernandez 
prove the product compatibility for CC with lp U Itz as type conversion relation, where 
1Z is a set of simply-typed object-level rewrite rules. 

In Section 3.2, we prove the product compatibility, hence the subject reduction of 0, 
for a large class of rewrite systems, including predicate-level rewriting, without using 
confluence, by generalizing the proof of Barbanera, Fernandez and Geuvers (Barbanera 
et al. 1997). Before that, we study the subject reduction for rewriting. 

3.1. Subject reduction for rewriting 

In first-order sorted algebras, for rewriting to preserve sorts, it suffices that both sides of 
a rule have the same sort. Carried over to type systems, this condition gives: there exists 
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an environment T and a type T such that r h I : T and T h r : T. This condition is the 
one which has been taken in all previous work combining typed A-calculus and rewriting. 
However, it has an important drawback. With polymorphic or dependent types, it leads 
to strongly non left-linear rules, which has two important consequences. First, rewriting 
is strongly slowed down because of the necessary equality tests. Second, it is more difficult 
to prove confluence. 

Let us take the example of the concatenation of two polymorphic lists (type list : * => ★ 
with the constructors nil : (A : *)UstA and cons : (A : *)A list A => list A): 

app A {nil A) £' -> £' 
app A (cons A x £) £' — > cons A x (app A £ £') 

This definition satisfies the usual condition by taking Y = A : ★, x : A, I : list A, £' : 
list A and T = list A. But one may wonder whether it is really necessary to do an equality 
test between the first argument of app and the first argument of cons when one wants to 
apply the second rule. Indeed, if app A (cons A' x £) £' is well-typed then, by inversion, 
cons A 1 x £ is of type list A and, by inversion again, HstA' is convertible to list A. Thus, 
A is convertible to A' . 

In fact, what is important is not that the left-hand side of a rule be typable, but that, 
if an instance of the left-hand side of a rule is typable, then the corresponding instance 
of the right-hand side has the same type. We express this by requiring that there exists 
an environment V in which the right-hand side is typable, and a substitution p which 
replaces the variables of the left-hand side not belonging to T by terms typable in T. 
Hence, one can consider the following rules instead: 

app A (nil A') £' £' 
app A (cons A' x £) £' — > cons A x (app A £ £') 

by taking T = A : ★, x : A, £ : list A, £' : list A and p = {A' ^ A). 

Definition 3 (Well-typed rule) A rule I -> r with I = ft, f : (x : f )U and 7 = {x ^ 1} 

is well-typed if there exists an environment T and a substitution p such that:" 

(53) T h r : U-yp, 

(54) VA, a, T, if A h la : T then a : T ~> A, 

(55) VA, <7, T, if A h la : T then a | pa. 

In the following, we write (I — * r, T, p) <E 1Z when the previous conditions are satisfied. 

An example with dependent types is given by the concatenation of two lists of fixed 
length (type list : not => * with the constructors nil : list and cons : nat (n : not) 
listn list(sn)) and the function map which applies a function / to every element of 
a list: 

app : (n : nat)list n => (n' : nat)list n' => list (n + n') 
map: (nat nat) => (n : nat)listn => listn 



II The conditions (SI) dom(p) n dom(r) = and (S2) V h Ip : U-yp given in (Blanqui 2001) are not 
necessary for proving the subject reduction property, but they are necessary for proving the strong 
normalization property of the higher-order rewrite rules (see Definition 26). 
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where app and map are defined by: 

app £ n' £' 
app p (cons x n £) n' £' 



£' 



cons x (n + n') (app n £ n' £') 



map f £ 
map f p (cons x n £) 
map f p (app n £ n' £') 



£ 



cons (f x) n (map f n £) 

app n (map f n £) n' (map f n' £') 



For the second rule of app, we take Y = x : nat, n : nat, £ : list n, n' : nat, £' : list n' and 
P = {p l— * sn }- This avoids checking that p is convertible to sn. For the third rule of map, 
we take Y = f : nat =>■ nat,n : nat,£ : listn,n' : nat,£' : listn' and p = {p i— > n + n'}. 
This avoids checking that p is convertible to n + n' . The reader will find more examples 
at the end of Section 5. 

Lemma 4 If (3TZ is product compatible, / : (x : T)U , 6 = {x i— ► t} and Y h ft : T then 
6 : Yf ~» T and UO C* r T. 

Proof. By inversion, there is a sequence of products (xi : T-)Ui (1 < i < n = 
\x\) such that r h fh.-.tn-! : (x n : T n )U n , V h t n : T' n , U n 6 Cf T , . . . , T h 
/ : (si : T[)Ux, T h ii : T{, f7i6> Cf. (0:2 : T^)C/ 2 and : f)f/ C* v ( Xl : T{)U X . 
Let Vi = (x i+1 : T i+1 ) . . . (x n : T n )U . By product compatibility, T x 6 = T\ Cp T[ and 
v i C r,x i: T! Hence, Fi6l = (x 2 : T 2 0)V 2 6 Cf XJ X Q Cf (a; 2 : T^)C/ 2 . Therefore, by induc- 
tion, T 2 6 C r T 2 ', . . . , T„6» Cf T' n and C/6» C/„6» C* r T. Hence, by conversion, rht, : T^, 
that is, 61 iT/^T. □ 

Theorem 5 (Subject reduction for 1Z) If is product compatible and 1Z is a set 

of well-typed rules then 1Z preserves typing. 

Proof. As usual, we prove by induction on A h < : T that, if t -^n t' then A h t' : T, 
and if A — >^ A' then A' h t : T. We only detail the (app) case. Assume that A h la : T, 
(I -> r,T,p) e K, I = ft, f : (x : f)U and 7 = {x ^ I}. Let 6» = 7 cr. After Lemma 4, 
61 : Y f ^ A and U6 £\ T. By (S4), a : T A. By (S3), T h r : C/ 7 p. Therefore, by 
substitution, A h re : U-fpa. By (S5), per J. a. Therefore, by conversion, A \- ra : U8 
and A h rcr : T. □ 

How to check the conditions (S3), (S4) and (S5) ? In all their generality, they are 
certainly undecidable. On the one hand, we do not know whether h and J. are decidable 
and, on the other hand, in (S4) and (S5), we arbitrarily quantify over A, a and T. It 
is therefore necessary to put additional restrictions. In the following, we successively 
consider the three conditions. 

Let us look at (S3). In practice, the symbols and their defining rules are often added 
one after another (or by groups but the following argument can be generalized). Let 
(J-,1Z) be a system in which h is decidable, / ^ J- and IZf a set of rules defining / and 
whose symbols belong to T' = T U {/}. Then, in (T' h is still decidable. One can 
therefore try to check (S3) in this system. This does not seem an important restriction: 
it would be surprising if the typing of a rule requires the use of the rule itself ! 

We now consider (S4). 
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Definition 6 (Canonical and derived types) Let t be a term of the form la with 
I = fl algebraic, / : (x : T)U , n = \x\ = \l\ and 7 = {x lj. The term Uja will be 
called the canonical type of t. Let p G Pos(Z) of the form (1*2)+. We inductively define 
the type of t\ p derived from t, r(t,p), as follows: 

- if p = \ n ~ l 2 then r(t,p) = T^a, 

- if p = l n ~ l 2q and q ^ e then r(t,p) = r(ti,q). 

The type of t\ p derived from t only depends on the term above t\ p . 

Lemma 7 (S4) If, for all x G dom(r), there is p G Pos(x, I) such that xT — r(l,p), then 
(S4) is satisfied. 

Proof. We prove (S4) by induction on the size of I. Assume that A h la : T. We must 
prove that, for all x G dom(T), A h xa : xTa. By assumption, there is p G Pos(x, I) such 
that xT — r(l,p). Since I — fl, p — jq. Assume that f : (x : T)U . Let 7 = {x \—> 1} 
and 9 — "fa. If q = e then x — lj and xT = Tj-f. Now, after Lemma 4, 9 : Tf ~> A. So, 
A h xj9 : Tj9, that is, A\- xa : xTa. Assume now that q ^ e. Since A h Ija : Tj6, lj is 
of the form 17m and xT — t(Ij, q), by induction hypothesis, A h xa : xTa. □ 

For (S5), we have no general result. By inversion, (S5) can be seen as a unification 
problem modulo J.*. The confluence of — > (which implies that |*=|) can therefore be very 
useful. Unfortunately, there are very few results on the confluence of the combination of 
higher-order rewriting and (3- reduction (see the discussion after Definition 29). On the 
other hand, one can easily prove that local confluence is preserved. 

Theorem 8 (Local confluence) If 1Z is locally confluent on algebraic terms then (31Z 
is locally confluent on any term. 

Proof. Assume that t t\ and t — > 9 t<i- We prove by induction on t that there exists 
t' such that t\ —>* t' and t% t'. There are three cases: 

• p (J q (p and q have no common prefix). The reductions at p and q can be done in 
parallel: h -><* t[, t 2 f 2 and *i = 

• p = ip' and q = iq' . We can conclude by induction hypothesis on t\i. 

• p = e or q = e. By exchanging the roles of p and q, we can assume that p = e. There 
are two cases: 

- t = [x : V]u v and t\ = u{x 1— > v}. We distinguish three sub-cases: 
o q = llq' and V -* q ' V . Then, t' = h works. 

o q = 12q' and u ~^> q u' . Then, t' = u'{x \— ► v} works, 
o q = 2q' and v v'. Then, t' — u{x v'} works. 

- t = la, I — > r G 1Z and t\ = ra. There exists an algebraic term u of maximal size and 
a substitution 9 such that t = u9 and x9 — y9 implies x — y (it and 9 are unique up 
to the choice of variables and u has the same non-linearities than t) . As the left-hand 
sides of rules are algebraic, u — la 1 and a = a'9. Now, we distinguish two sub-cases: 
o q G Pos(m). As the left-hand sides of rules are algebraic, we have u -^n ra' and 
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u — >iz v. By local confluence of — >n on algebraic terms, there exists v! such that 
ra' — ►* v! and v — >* u'. Then, t' = u'O works. 
° 1 = 9i<?' an d u l<?i = x - Let (72, • • • , In be the positions of the other occurrences of 
x in u. If one reduces ti at each position qtq' ', one obtains a term of the form Zcr'0' 
where 0' is the substitution such that x0' is the reduct of x6, and yd' = y6 if y ^ x. 
Then, i' = ra'6' works. 

□ 

3.2. Subject reduction for f3 

In this section, we prove the product compatibility, hence the subject reduction of (3, 
for a large class of rewrite systems, including predicate-level rewrite rules, without using 
confluence, by generalizing the proof of Barbanera, Fernandez and Geuvers (Barbanera 
et al. 1997). It is worth noting that no result of this section assumes the subject reduction 
property for rewriting. They only rely on simple syntactic properties of /3-reduction and 
rewriting with respect to predicates and kinds (Lemma 11). 

The idea is to /3-weak-head normalize all the intermediate terms between (x : U')V 
and (x : U)V so that we obtain a sequence of conversions between product terms only. 
We first show that the subject reduction property can indeed be studied in a system 
whose conversion relation is like the one used in (Barbanera et al. 1997). 

Lemma 9 Let A be a CAC with conversion relation J. and A' be the same CAC but 
with conversion relation U In- If ^pn has the subject reduction property in A' then 
A = A' (and -^pn has the subject reduction property in A). 

Proof. Let h (resp. h') be the typing relation of A (resp. A'). Since ip U [-r C [pn, we 
clearly have h' C K We prove by induction on h that h C h'. The only difficult case is of 
course (conv). By induction hypothesis, we have r h' t : T and V h' T" : s' . Furthermore, 
we have T ^*j^* 2 ■ ■ ■t 2 < ~ si *~ T' with r^, Sk 6 {/3,1Z}. By type correctness, either 
T = □ or there is a sort s such that r h' T : s. If T = □ then T' □. But, since -> 
has the subject reduction property in A', we get that T h' □ : s', which is not possible. 
Therefore, T and T' are typable in A' and, since — ► has the subject reduction property 
in A', all the terms between T and T 1 are also typable in A'. Therefore, we can replace 
the conversion in A by a sequence of conversions in A'. □ 

We now prove a series of useful results about kinds and predicates which will allow us 
to prove the subject reduction property on types for the /?-weak-head reduction relation 
h: t — >h t' if t = [x : T]([x : U]vut) and t' = [x : T](v{x u}i). The /3-internal reduction 
relation will be denoted by l/i. To this end, we introduce several sets of terms. 

- IC: terms of the form (x : 7 1 )*, usually called kinds. 

- V: smallest set of terms, called predicates, such that X a U T a C V and, if pt G V or 
[x : t]p G V or (x : t)p G V, then p G V . 

- W: terms having a subterm of the form [y : W]K or wK, called a bad kind. 

- B: terms containing □. 
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Lemma 10 (a) No term in B is typable. 
((3) If T h t : □ then t e /C. 
(7) lite E B then i G Z? or x6 G B for some x. 
(<5) If tfl G /C then t E JC or x9 E K. for some x. 

Proo/. 

(a) □ is not typable and every subterm of a typable term is typable. 

By induction on the size of t (no conversion can take place since □ is not typable). 
(7) Trivial. 

(S) lite eJC and t i JC then t = (x : f)x with x6 G JC. 

□ 

Lemma 11 If, for every rule I —> r E 1Z, r ^ 8U/CU W, then: 

(a) If t -» i' and t's8 then t G £. 

(b) If □ Cf T then T = □. 

(c) If if G /C and T h K : L then L = □. 

(d) No term in W is typable. 

(e) If t -> K G /C then t £ /C U W. 

(f) If i -► *' G W then i G W. 

(g) If T h T : s and T ->* K G /C then T G /C and s = □. 

(h) If T Cf if and T\- K :U then r h T : □ and T E JC. 

(i) If (x : f ) * Cf (y : U)* then |x| = \y\ and, for all i, T t Cf . C/ 4 {y x} with 

i\ — r, .ti . ±\ , . . . j 2^ . _z^. 

(j) If T Cp T' and rhT:* then r h T' : *. 
(k) If T h t : T and t E V then T E JC. 
(1) If T h i : K and T h K : □ then Z G V. 

Proof. 

(a) Assume that t t' and t'\ q = □. If p fl g then i| g = □ and t E B. Otherwise, p < q. 
If i| p = [x : U]v u and Z'| p = v{x 1— » u} then, by (7), d £ 6 or 11 € B. Thus, t E B. 
Now, if i| p = Zcr, Z'| p = rer and Z — > r E 1Z then, by (7), r e B or zu e B for some x. 
Since r ^ B, xcr E B and t E B. 

(b) Assume that □ j T' Cf T. Then, T" ->* □ and T h T' : s. By (a), T' E B and T' 
cannot be typable. Thus, T = □. 

(c) By induction on the size of K . If K = * then, by inversion, □ Cf L and, by (b), 
Z, = □. If K = (x : T)K' then, by inversion, r, x : T h K' : s and s Cf L. By 
induction hypothesis, s = □ and, by (b), L = □. 

(d) Assume that r h [3/ : W]if : T. By inversion, T,y:W\-K:L and T h (y : : s. 
By (c), L = □ and (y : W)L cannot be typable. Assume now that V h wif : T. By 
inversion, T \- w : (x : L)V , T \- K : L and rh(i: L)V : s. By (c), L = U and 
(x : L)y cannot be typable. 

(e) Assume that t — > K G JC and t £ JC. We prove that t G W by induction on the size 
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of t. The only possible cases are t = (x : T)u, t = [x : U]v u if t — *p X, and t = la 
with I ^ r e TZ if t ^-jz K. If t = (x : T)u then K = (x : T)L and u ->■ X. By 
induction hypothesis, tt € W. If t = [x : U)v u then AT = v{x i— » u}. By ((5), either 
v G /C or u G AC. In both cases, i € W. Assume now that t = la with Z — > r G 72.. 
Then, if = rcr. By (5), either r G /C or rrcr G /C for some x. Since r £ 1C, xa <E IC and 
t = Iff e W since x is the argument of some symbol (Z is algebraic). 

(f) Assume that t t' G W, = wK and K £ K. (the case i'| g = [x : tu]AT is dealt 
with in the same way). There are several cases: 

- q |t p. Then, t\ q = wK and t G W. 

- 9 < P- 

o p = qlm. Then, t\ q — w'K with w 1 — > w and i G W. 

o p = g2m. Then, i| g = urn with u -> K G /C. By (e), u G /C U W. Thus, i G W. 

- q > p. Then, g = pm. Assume that t\ p — la, t'\ p — ra and I — > r G 72 (the case 
t — >/3 i' is dealt with in the same way). Let {pi, . . . ,p n } — {p G Pos(x,r) | x G 
FV(r)}. There are saveral cases: 

o m jt Pi for all i, or to < for some i. Then, r\ m a = wK, r — uv and va = K . 

By (<5) , v G /C or xa G AC for some x. If v G AC then r G W, which is not possible. 

Thus, xa G /C and Zcr G W. 
o m > pi for some i. Then, there is x G FV(Z) such that xa G W. Thus, t G W. 

(g) By (e) and (f), if T -►* K G AC then T G AC U W. Since T h T : s, T $ W. Thus, 
T G AC and s = □. 

(h) By induction on the number of conversions between T and if. Assume that T h T : s, 
T | A" and T h AC : □. Then, there is AT' G AC such that AT ^* AT' and T -►* AT'. By 
(g), T G AC and s = □. 

(i) By (h), all the intermediate well-typed terms between K = (x : T)* and L — (y : U)* 
are kinds and, if AT j L then, clearly, |x| = \y\ and T» | Z7,{x h- > y} for alH. 

(j) Immediate consequence of (i). 
(k) By induction on V h t : T. 
(1) By induction on T h t : AT. 

□ 

Lemma 12 Given a rule Z r with I = fl, f : (x : f)U and 7 = {fi-»i], r <£ BUlCUW 
if there is an environment T and a substitution p such that T \- Ip : U-fp and T h r : Z77p. 

Proof. Since r is typable, r ^ £> U W. We now prove that r ^ AC. Since r h Zp : ?77p, by 
inversion, we get that 7p : T/ ~» T. Since h r/ : s/, by inversion, we get that 1/ h Z7 : s/. 
So, by substitution, T h Z/7p : s/. Now, if r G AC then, by (c), Ujp — □ but □ is not 
typable. Therefore, r £ AC. □ 

Theorem 13 (Subject reduction for h) (Barbanera et al. 1997) Assume that no 
right hand-side is in SUACUW. Then, the restriction (3 Pu > of (3 to the redexes [x : T]U t G V 
preserves typing. Therefore, h preserves typing on terms of type *. 
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Proof. The proof is as usual by induction on T h t : T and by proving at the same time 
that, if T — T', then V \- t :T. The only difficult case is the case of a head-reduction 
[x : U']v u -^pp^ v{x i > w} with V h [x : C/']u : (x : £/)V and T \- u : U . We must 
prove that V h v{x i— > m} : y{x u}. By inversion, we have V,x : U' \- v : V with 

: C/')^' Cf (a; : ?7)F. Since v G "P, by (k), V" G /C. Therefore, by Lemma 11 (h) and 
(i), (x : ?7)V G /C, U' Cp {/ and V' x .jj V. Hence, by environment conversion and 
type conversion, r, x : U h v : V and, by substitution, T h v{x i— ► u} : T^{x i— » m}. 

Now, if T h i : * then, by (1), t = [x : f7]twf G V and v G V. So, if i -►/, t' then 
t i' and r h «' : *. □ 

Lemma 14 (Commutation) If t — u and t — ^ v then there exists w such that 
u — >^ w and t> — w. 

Proof. By induction on the number of /i-steps, it suffices to prove that, if [x : U]v u — 
v{x i ► u} and [x : w — ^ t, then there exists w such that v{x u} — ^ w and 

1 — w. Since left hand-sides of rules are algebraic, t is of the form [x : U']v' u' with 
U -^ti U', v — ^ v' and u — >^ u' . So, it suffices to take w = v'{x \— ► m'}. □ 

Lemma 15 (Postponement) Assume that no right hand-side is in BUKUW and that 
the right hand-side of every type-level rule is either a product or a predicate symbol 
application. If T h t : * and t — »^ w ^£ i> then there exists w such that i — >* h w — »^ v. 

Proof. By induction on the number of /i-steps. Assume that t -^* n u — u' — v. By 
induction hypothesis, there exists w' such that t — w' — >^ u' . By subject reduction 
on types, r h w' : *. So, by (1), w' is either of the form (x : U)V, xt, ft with / G 
JF n , or [x : £?]afei. Since w' — >^ v! — v, w' cannot be of the form (x : U)V or xt. 
Since right hand-sides of type-level rules are either a product or a predicate symbol 
application, w' cannot be of the form ft. Therefore, w' = [x : B]abt, v! = [x : B']a'b't? 
with B,a,b,t — >^ B',a',b',P, and v = a'{x i-> b'}?. Hence, by taking w = a{x i— > b}t, 
we have t — u>' — u; — >^ v. □ 

Theorem 16 (Subject reduction for /?) If no right hand-side is in £>U/CU>V and the 
right hand-side of every type-level rule is a symbol application then (3 preserves typing. 

Proof. The proof is as usual by induction on T h t : T and by proving that, if T — ^ T', 
then r' h t : T. The only difficult case is the case of a head-reduction [x : U']v u -^p 
v{x >—> u} with r h [x : U']v : (x : U)V and T h u : U. We must prove that T h t> {x 
u} : y{x i— > u}. We already know that it is true when v is a predicate. We must now 
prove it when v is an object, that is, when T h (x : U)V : *. By inversion, we have 
r h [x : U']v : (x : U')V with (x : U')V Cf (x : U)V . By Lemma 11 (j), we have all 
the intermediate well-typed terms between (x : U')V and (x : U)V of type Without 
loss of generality, we can assume that Tq ~ {x : U')V [p T\ ^2 1/3 ■ • • T n = (x : [7)V'. 
Let T/ be the common reduct between Tj and Ti+i. We now prove by induction on the 
number of conversions that there is a sequence of well-typed product terms tti,. .. ,n n 
such that 7T = T [p m in 7r 2 lp . . . ir n = T n . 
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Since T is a product, ir' = Tq is also a product. Since T\ — »^ tt' , by standardization, 
there is a product term m such that Ti — tt\ —^y w' . Since h has the subject reduction 
property on types, iri is well-typed. Now, since T\ — ^ T[, by commutation, there is a 
product term tt' 1 such that 7Ti — ^ ir[ and T[ —>* h tt' 1 . Furthermore, since T 2 — »^ T[, 
by postponement, there is a term t such that T 2 — t — »^ ir[. Since h has the subject 
reduction property on types, t is a well- typed term of type We now proceed by case 
on t. 

- If t is an abstraction [x : T)w then, by inversion, there is W such that {y : T)W C r *. 
By Lemma 11 (h) and (i), this is not possible. 

- If t is an application but not a symbol application then, since left hand-sides of rules 
are algebraic, ir^ is an application, which is not possible either. 

- If t is a symbol application then, since right hand-sides of type-level rules are symbol 
applications, 7rJ is a symbol application too, which is not possible either. 

- Therefore, t is a well-typed product term ir 2 . 

Now, since T 2 — >^ T 2 and [3 is confluent, there is a product term tt' 2 such that n 2 — >^ n' 2 
and T 2 ir' 2 , and we can now conclude by induction. □ 

4. Logical consistency 

In the case of the pure Calculus of Constructions without symbols and rewrite rules, 
logical consistency easily follows from normalization by proving that there can be no 
normal proof of _L = (a : *)a in the empty environment (Barendregt 1992). But, having 
symbols and rewrite rules is like having hypothesis and axioms. Thus, in this case, logical 
consistency does not directly follow from normalization. We can however give general 
conditions ensuring logical consistency: 

Theorem 17 (Logical consistency) Assume that — > is confluent and that every object 
symbol / satisfies one of the following conditions: 

(1) / : {x:T)Cv with C G CT D , 

(2) /: (x:f)T u 

(3) / : {x\ : Ti) . . . (x n : T n )U with x n FV D (?7) and, for all normal substitution 
7 : (x : T) ~> (a : *), fxj is reducible. 

Then, there is no normal proof of _L = (a : *)a in the empty environment. Therefore, if 
— > is also normalizing, then there is no proof of _L in the empty environment. 

Proof. Assume that h t : _L, t is normal and of minimal size, that is, there is no term 
u smaller than t such that ha : 1, For typing reasons, t cannot be a sort or a product. 
Assume that t is an application. Since t is typable in the empty environment, it cannot 
have free variables and, since t is normal, it must be of the form ft. Assume that \t\ = k 
and that / is of type (x : T)U with \x\ = n. Let ji = {x\ 1— > t\ , . . . , Xi 1— > ti} (i < n). 
(1) In this case, k < n since / cannot be applied to more than n arguments. Indeed, 
if / is applied to n + 1 arguments then, by inversion, h fti . . . t n : (x n+ i : T n+ i)V . 
But, since h ft\ ...t n : Cv^ n , by convertibility of types and confluence, we must 



Frederic Blanqui 



22 



have (x n+ i : T n+ i)V j Cv-f n , which is not possible. Thus, k < n and (xk+i ■ 
7fc+i7fc) • • • (x n ■ T n -fk)Cv-fk i _L, which is not possible either. 

(2) There are 2 cases: 

• k < n. Since h ft : (x k +i : T k+1 ^ k ) ...(x n : T n "/ k )Ti"/ k , we must have n = k + 1 
and, by taking x n — a, T n j k J. * and Tij k J. a. Hence T^ k ^* a but T^ k is closed 
since FV(Tj) C {x\, . . . , 7fc is closed and i — 1 < k. So, — >* a is not 
possible. 

• k > n. We have t = uv with |u| = n. Let p = A: — n. By inversion, there is a sequence 
of products (yi : Vi)Wi, (y p : V P )W P such that T^ n = Uj n j (j/i : 14)Wi, 
for all i < p, Wi{yi ^ v t } [ (y l+1 : V i+ i)W i+1 , and W p {y p i-> w p } | _L. Then, 
h iti« : _L and UiV is smaller than t. 

(3) If k > n then £ is reducible, which is not possible. If k < n then n = k + 1, x n = a 
and U^ k — >* a. But FV(C/) C . . . , x k , a} and ^ k is closed. So, x„ 6 FV D (£7), 
which is excluded. 

Assume now that t = [a : T]v. Then, by inversion, we must have a : T h v : V and 
(a : T)V I (a : *)a. Therefore, T = V = a and a : * h d : a. For typing reasons, w 
cannot be a sort, a product or an abstraction. Since it is normal, it must be of the form 
xu with x a variable, or of the form ft. Since a is the only variable that may freely occur 
in v, x = a. Since a can be applied to no argument, v = a. Then, we get a : * h a : a, 
which is not possible. Therefore, v is of the form ft. 

(1) In this case, k < n since / cannot be applied to more than n arguments. Thus, 
(x k +i : 2fe + i7 fe ) . . . (x n : T n 7fc)Cu7fc | a, which is not possible. 

(2) If k < n then (x k +i ■ T k+1 -f k ) . . . (x n : T n -y k )Ti-f k j a, which is not possible. Thus, 
t = uv with |u| = n. Let p = k — n. By inversion, there is a sequence of products 
(yi : V 1 )W 1 , ...,(%,: V P )W P such that T l7 „ = U-f n | (yi : Vi)Wi, for all z < p, 
^{j/i h-> | (y i+ i : V i+ i)W i+1 , and W p {t/ P i-> w p } | a. Then, h [a : : _L and 
[a : -k]uiV is smaller than t. 

(3) In this case too, k > n. Thus, t is reducible, which is not possible. 

□ 

Note that, as opposed to the third condition, the first two conditions do not care about 
the rewrite rules denning /. 

To see the interest of the third condition, consider the following example. Assume that 
the only symbols of the calculus are nat : *, : not, s : nat — > nat and rec : (P : nat — ► *) 
PO — > ((n : nat)Pn — > P(sn)) — ► (n : nat)Pn defined by the usual rules for recursors: 

rec FhdO — ► u 
rec P u v (s n) — ► u n (rec P u v n) 

This calculus is confluent since the combination of an orthogonal system (the recursor 
rules) with the /3-reduction preserves confluence. In this calculus, it is possible to express 
any function whose existence is provable in intuitionistic higher-order arithmetic. 

Now, let us look at the normal terms of type nat in the environment a : *. Let Af be 
the set of these terms. A term in Af cannot be a sort, a product, an abstraction, nor a 
variable. It can only be of the form 0, (s t) with t itself in A/", or of the form (rec P uv tu) 
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with t e Af also. But the last case is not possible since, at some point, the argument 
t of (rec P u v t) must be of the form or (s t'), and hence (rec P u v t) must be 
reducible. Therefore, all the normal terms of type not typable in a : * must be of the 
form or (s t), and if t is such a term then (rec P u v t) is reducible. We also say that 
functions defined by induction are completely defined (Guttag and Horning 1978; Thiel 
1984; Kounalis 1985; Coquand 1992). Therefore, after the previous theorem, this calculus 
is consistent. 

This may certainly be extended to the Calculus of Inductive Constructions and even 
to the Calculus of Inductive Constructions extended with functions defined by rewrite 
rules whenever all the symbols are completely defined. 

5. Conditions of Strong Normalization 

We now present the conditions of strong normalization. 

5.1. Inductive types and constructors 

Until now we made few hypothesis on symbols and rewrite rules. However, Mendler 
(Mendler 1987) showed that the extension of the simply-typed A-calculus with recursion 
on inductive types is strongly normalizing if and only if the inductive types satisfy some 
positivity condition. 

A base type T occurs positively in a type U if all the occurrences of T in U are on the 
left of an even number of =>. A type T is positive if T occurs positively in the type of 
the arguments of its constructors. Usual inductive types like natural numbers and lists 
of natural numbers are positive. 

Now, let us see an example of a non-positive type T. Let U be a base type. Assume 
that T has a constructor c of type (T => U) => T. T is not positive because T occurs at a 
negative position in T => U. Consider now the function p of type T => (T => U) defined 
by the rule p(cx) — > x. Let u — \x.(px)x of type T => U . Then the term u(cuo) of type 
U is not normalizable: 

u(cuj) p(cuj)(cu>) —> n oj(cuj) —>p . . . 

In the case where U = *, we can interpret this as Cantor's theorem: there is no 
surjection from a set T to the set of its subsets T ^> *. In this interpretation, p is the 
natural injection between T and T *. Saying that p is surjective is equivalent to saying 
(with the Axiom of Choice) that there exists c such that poc is the identity, that is, such 
that p(cx) — > x. In (Dowek 1999), Dowek shows that such an hypothesis is incoherent. 
Here, we show that this is related to the non-normalization of non-positive inductive 
types. 

Mendler also gives a condition, strong positivity, in the case of dependent and poly- 
morphic types. A similar but more restrictive notion, called strict positivity, is used by 
Coquand and Paulin in the Calculus of Inductive Constructions (Coquand and Paulin- 
Mohring 1988). 

Hereafter we introduce the more general notion of admissible inductive structure. In 
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particular, we do not consider that a constructor must be constant: it is possible to have 
rewrite rules on constructors. This allows us to formalize quotient types like the type int 
of integers by taking : int for zero, s : int int for successor, and p : int =^> int for 
predecessor, together with the rules: 

s (p x) — > x 
p (s x) — > X 

Definition 18 (Inductive structure) An inductive structure is given by: 

• a precedence >c on CT U , 

• for every C : (x : T)* in CT a , a set Mon(C) C {i < \x\ \ Xi G X a } for the monotonic 
arguments of C, 

• for every / : (y : U)Cv with C G CT a , a set Acc(/) C {1, . . . , \y\} for the accessible 
positions of /. 

For convenience, we assume that Mon(/) = if / ^ CT a , and Acc(/) = if / is not of 
type (y : U)Cv with C G CF D . 

The accessible positions of / denote the arguments of / that one can use in the right 
hand-sides of rules. The monotonic arguments of C denote the parameters in which C is 
monotonic. 

Definition 19 (Positive and negative positions) The set of positive positions in t, 
Pos + (i), and the set of negative positions in t, Pos~(t), are simultaneously defined by 
induction on the structure of t: 

- Pos 5 (.s) = Pos^x) = {e | <5 = +}, 

- Pos s ((x : U)V) = l.Yos- s {U) U 2.¥os s {V), 

- Pos s ([x : U]v) = 2.¥os\v), 

- Vos\tu) = l.Pos 5 ^) if t ^ ft, 

- Pos 5 (ft) = {ll*l I 5 = +} U Ull'^^.Pos 5 ^) | i G Mon(/)}, 
where 5 G { — ,+ }, — h = — and = + (usual rule of signs). 

Definition 20 (Admissible inductive structures) An inductive structure is admis- 
sible if, for all C G CT n , for all f : (y : U)Cv, and for all j G Acc(/): tt 

(13) VD G CF n , D = C C^ Pos(L>, Uj) C Pos + (C/ J ) 
(symbols equivalent to C must be at positive positions), 

(14) VD G CF n , D > c C => Pos(D, Uj) = 

(no symbol greater than C can occur in Uj), 

(15) VF G VT D , Pos( J F, C/j) = 

(no defined symbol can occur in Uj), 

In (Blanqui 2001), we give 6 conditions, (II) to (16), for defining what is an admissible inductive 
structure. But we found that (II) can be eliminated if we modify (12) a little bit. This is why, in the 
following definition, there is no (II) and (12) is placed after (16). 
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(16) VY £ FV D (Uj), 3ty, v lY =Y 

(predicate variables must be parameters of C) , 
(12) VY e FV n (U j ),L Y G Mon(C) Pos(Y,U 3 ) C Pos+(t/,) 

(monotonic arguments must be at positive positions). 

For instance, with list : * ^> *, nil : (A : *)UstA and cons : (A : *)A => UstA =$> 
listA, Mon(list) = {1}, Acc(nil) = {1} and Acc(cons) — {1,2,3} is an admissible 
inductive structure. If we add tree : * and node : list tree => tree with Mon(list) = {1}, 
Mon(tree) = and Acc(node) = {1}, we still have an admissible structure. 

The condition (16) means that the predicate arguments of a constructor must be pa- 
rameters of their type. A similar condition appears in the works of Stefanova (Stefanova 
1998) ("safeness") and Walukiewicz (Walukiewicz-Chrzaszcz 2002) ("★-dependency"). On 
the other hand, in the Calculus of Inductive Constructions (CIC) (Werner 1994), there 
is no such restriction. 

We distinguish several kinds of inductive types. 

Definition 21 (Primitive, basic and strictly-positive predicates) 

A constant predicate symbol C is: 

- primitive if for all D =c C, for all / : (y : U)Dw and for all j £ Acc(/), Uj — Et with 
E <c D and E primitive, or Uj = Et with E =c D. 

- basic if for all D =c C, for all / : (y : U)Dw and for all j £ Acc(/), if E =c D occurs 
in Uj then Uj is of the form Et. 

- strictly positive if for all D =c C, for all / : (y : U)Dw and for all j £ Acc(/), if 
E =c D occurs in Uj then Uj = (z : V)Et and no D' =c D occurs in V. 

Primitive predicates are basic and basic predicates are strictly positive. Note that 
primitive predicates not only include the usual first-order data types. They also include 
some dependent type like the type of lists of fixed length. On the other hand, the type 
of polymorphic lists is basic but not primitive. 

The strictly positive predicates are the predicates allowed in the Calculus of Inductive 
Constructions (CIC). For example, this includes the type ord of Brouwer's ordinals whose 
constructors are : ord, s : ord ord and lira : {not => ord) =i> ord, the process algebra 
^CRL which can be formalized as a type proc with a choice operator E : (data => 
proc) => proc (Sellink 1993), or the type form of the formulas of first-order predicate 
calculus whose constructors are -i : form =>- form, V : form =>■ form =>- form and V : 
(term => form) =>- form. 

For the moment, we do not forbid non-strictly positive predicates but the conditions 
we describe in the next section do not allow the definition of functions by recursion on 
such predicates. Yet, these predicates can be very useful as shown in (Matthes 2000) 
or in (Abel 2001). In (Matthes 2000), a type cont with the constructors D : cont and 
C : ((cont =4> list) => list) cont, representing continuations, is used to define a 
breadth-first label listing function on labelled binary trees. In particular, it uses a function 
ex : cont list defined by the rules: 
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ex D —> nil 
ex (C /) -> / err 

It is not clear how to define a syntactic condition ensuring the strong normalization 
of such a definition: in the right hand-side of the second rule, ex is explicitly applied 
to no argument smaller than /. And, although ex can only be applied to subterms of 
reducts of /, not every subterm of a "computable" term (notion used for proving strong 
normalization) is a priori computable (see Section 5.2.2). 

5.2. General Schema 

5.2.1. Higher-order rewriting Which conditions on rewrite rules would ensure the strong 
normalization of -^>=^n U — ? Since the works of Breazu-Tannen and Gallier (Breazu- 
Tannen and Gallier 1989) and Okada (Okada 1989) on the simply-typed A-calculus or the 
polymorphic A-calculus, and later the works of Barbanera (Barbanera 1990) on the Cal- 
culus of Constructions and of Dougherty (Dougherty 1991) on the untyped A-calculus, it 
is well known that adding first-order rewriting to typed A-calculi preserves strong normal- 
ization. This comes from the fact that first-order rewriting cannot create /3-redexes. We 
will prove that this result can be extended to predicate-level rewriting if some conditions 
are fulfilled. 

However, there are many useful functions whose definition do not enter the first-order 
framework, either because some arguments are not primitive (the concatenation function 
app on polymorphic lists) , or because their definition uses higher-order features like the 
function map : (A : *)(B : *)(A => B) => list A => HstB which applies a function to every 
element of a list: 

map A B f (nil A') — > nil B 
map A B f (cons A' x £) — > cons B (f x) (map A B f £) 
map A B f (app A' £ £') -> app B (map A B f £) (map A B f £') 

This is also the case of recursors like the recursor on natural numbers natrec : (A : *) 
A (nat => A => A) => nat => A: 

natrec A x / — > x 
natrec A x f (s n) — ► f n (natrec A x f n) 

and of induction principles (recursors are just non-dependent versions of the correspond- 
ing induction principles), like the induction principle on natural numbers natind : (P : 
nat *)P0 => ((n : nat)Pn P(sn)) (n : nat)Pn: 

natind P ho h s — > ho 
natrec P h h s (s n) — ► h s n (natind P h h s n) 

The methods used by Breazu-Tannen and Gallier (Breazu-Tannen and Gallier 1989) 
or Dougherty (Dougherty 1991) cannot be applied to our calculus since, on the one hand, 
higher-order rewriting can create /3-redexes and, on the other hand, rewriting is included 
in the type conversion rule (conv), hence more terms are typable. But there exists other 
methods, available in the simply-typed A-calculus only or in richer type systems, for 
proving the termination of this kind of definitions: 
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• The General Schema, initially introduced by Jouannaud and Okada (Jouannaud and 
Okada 1991) for the polymorphic A-calculus and extended to the Calculus of Construc- 
tions by Barbanera, Fernandez and Geuvers (Barbanera et al. 1994), is an extension of 
the primitive recursion schema: in the right hand-side of a rule fl — ► r, the recursive 
calls to / must be done on strict subterms of I. It can treat object-level rewriting 
with simply-typed symbols defined on primitive types. It has been reformulated and 
extended to strictly-positive types by Jouannaud, Okada and the author for the simply- 
typed A-calculus (Blanqui et al. 2002) and the Calculus of Constructions (Blanqui et 
al. 1999). 

• The Higher-Order Recursive Path Ordering (HORPO) (Jouannaud and Rubio 1999) is 
an extension of RPO (Plaisted 1978; Dershowitz 1982) to the simply-typed A-calculus. 
It has been recently extended by Walukiewicz (Walukiewicz 2000) to the Calculus of 
Constructions with strictly positive types (Walukiewicz-Chrz^szcz 2002). It can treat 
object-level rewriting with polymorphic and dependent symbols defined on strictly 
positive types. The General Schema can be seen as a non-recursive version of HORPO. 

• It is also possible to look for an interpretation of the symbols such that the interpreta- 
tion of a term strictly decreases when a rule is applied. This method, introduced by Van 
de Pol for the simply-typed A-calculus (Van de Pol 1996), extends to the higher-order 
framework the method of interpretations known for the first-order framework (Zan- 
tema 1994). This is a very powerful method but difficult to use in practice because the 
interpretations are themselves higher-order and also because it is not modular: adding 
new rules or new symbols may require finding new interpretations. 

For dealing with higher-order rewriting at the predicate-level together with polymor- 
phic and dependent symbols and strictly-positive predicates, we have chosen to extend 
the method of the General Schema. For first-order symbols, we use other conditions like 
in (Jouannaud and Okada 1997). 

5.2.2. Definition of the schema This method is based on Tait and Girard's method of re- 
ducibility candidates (Tait 1967; Girard et al. 1988) for proving the strong normalization 
of simply-typed or polymorphic A-calculi. This method consists of interpretating each 
type as a subset of the strongly normalizable terms, the computable terms, and proving 
that each well-typed term is computable. Indeed, a direct proof of strong normalization 
by induction on the structure of terms does not go through because of the application 
case: if u and v are strongly normalizable then it is not clear how to prove that uv also 
is strongly normalizable. 

The idea of the General Schema is then, from a left hand-side fl of rule, to define a set 
of terms, called the computability closure of fl, whose elements are computable whenever 
the li's so are. Then, to prove the strong normalization, it suffices to check that, for each 
rule, the right hand-side belongs to the computability closure of the left hand-side. 

To build the computability closure, we first define a subset of the subterms of I, called 
the accessible subterms of I, that are computable whenever the li's so are (not all the sub- 
terms of a computable term are a priori computable). Then, we build the computability 



Frederic Blanqui 



28 



closure by closing the set of accessible variables of the left hand-side with computability- 
preserving operations. 

In order to have interesting functions, we must be able to accept recursive calls and, to 
preserve strong normalization, recursive calls must decrease in a well-founded ordering. 
The strict subterm relation > (in fact, restricted to accessible subterms for preserving 
computability) is sufficient for dealing with definition on basic predicates. In the definition 
of map for instance, £ and £' are accessible subterms of app A' £ £' . But, for non-basic 
predicates, it is not sufficient as examplified by the following addition on Brouwer's 
ordinals: 

x + — > x 
x + (s y) — > s (x + y) 
x + {lira /) — > Urn ([n : nat]x + fn) 

Another example is given by the following simplification rule in ^CRL (Sellink 1993): 

-> Y,{[d:data]fd-p) 

This is why, in our conditions, we use two distinct orderings. The first one, >i, is used 
for the arguments of basic type and the second one, >2, is used for the arguments of 
strictly-positive type. 

Finally, to have a finer control of the comparison of the arguments, to each symbol, we 
associate a status describing how to compare the arguments by using a simple combination 
of lexicographic and multiset comparisons (Jouannaud and Okada 1997). 

Definition 22 (Accessibility) We say that u : U is accessible modulo p in t : T, written 

t:T t> p u:U,\it = fu, f : {y : U)Cv, C E CT U , u = uj, j 6 Acc(/), Tp = Cv-yp, 
Up = Ujjp, 7 = {y u] and no D =c C occurs in up. 

For technical reasons, we take into account not only the terms themselves but also 
their types. This comes from the fact that we are able to prove that two convertible 
types have the same interpretation only if the two types are computable. This may imply 
some restrictions on the types of the symbols. 

Indeed, accessibility requires the equality (modulo the application of p) between canon- 
ical types and derived types (see Definition 6). More precisely, for having t : T > p u : U, 
T must be equal (modulo p) to the canonical type of t and U must be equal (modulo p) 
to the type of u derived from t. In addition, if u : U > p v : V, then U must also be equal 
(modulo p) to the canonical type of u. 

Definition 23 Let (a;,)j>i be an indexed family of variables. 

Status. A status is a term of the form {lex m\ . . . mk) with k > 1 and each m, of the 
form (mul Xk 1 ■ ■ -Xk v ) with p > 1. The arity of a status stat is the greatest index i 
such that Xi occurs in stat. 

Status assignment. A status assignment is an application stat which associates a sta- 
tus statf to every / € T . 

Predicate arguments. Let C : (z : V)* and u with \u\ — \z\. By u\c, we denote the 
sub-sequence Uj 1 . . .Uj n such that ji < . . . < j '<„ and {ji, . . . ,j n } — {j < \z\ | zj G X a }. 
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Strictly positive positions. Let / : (x : T)U with statf — lex rh. The set of strictly 
positive positions of /, SP(f), is defined as follows. Assume that rm = mul x^ ■ ■ ■ Xk p ■ 
Then, i E SP(f) iff there exist Tj = Ca such that C is strictly positive and, for all j, 
Tk j = Cu with C E CT D and u\c = a|c- 

Assignment compatibility. A status assignment stat is compatible with a precedence 
>r if / =j: g implies stat f = stat g , SP(f) = SP{g) and, for all i E SP(f), T) = T l g . 

Status ordering. Let > be an ordering on terms and stat = lex m be a status of arity 
n. The extension of > to the sequences of terms of length n is the ordering > s tat 
defined as follows: 

- u > st at v if m{x i > u} (> m )i ox m{x h-> v}, 

- mul u > m mul v if {u} > mu i {v}. 

For instance, if stat = lex(mul X2){mul x\ x^) then (-^1,^2,^3) > s t a t (vi,V2,V3) iff 
{{u 2 } 1 {ui, u 3 }) (> mu i)iex ({v 2 },{vi,v 3 }). An important property of > stat is that it is 
well-founded whenever > is. 

We now define the computability closure of a rule R = (I — > r, F, p) with I = fl, 
I : {x: f)U and j = {x^ I}. 

Definition 24 (Ordering on symbol arguments) The ordering >^ on arguments of 
/ is an adaptation of > statf where the ordering > depends on the type (basic or strictly 
positive) of the argument. Assume that statf = lex m\ . . . m^. Then: 

• t: T> R u: U if m{x h-> (t: T)} (>\ . . . , > fc )i ox m{x ^ (u : U)}. 

• mul(t: f) > l mul{u : U) if i G SP(f) and {t: f} (> 4 fl ) mu i {u : U}, 

• mul(t: f) > i mul{u : U) if i £ SP(f) and {t: f} (>+) mu i {u : U}, 

• t:T > l R u:U if: 

- t = ft, f : (x : T)Cv, 7 = {x h-> t} and no D =c C occurs in vjp, 

- u = xu with x G dom(F), 

- t:T \>+ x : V, 

- Vp = xY = {y : U)Cw, S = {y u}, Up = CwS and no D =c C occurs in US, 

- vjplc = wS\ C - 

One can easily check that, for the addition on ordinals, Urn f : ord >)j fn : ord. 
Indeed, for this rule, one can take F = x : ord, f : not => ord and the identity for p. 
Then, / E dom(r), fT = nat => ord and Urn f : ord > p / : nat ord. 

Definition 25 (Computability closure) Let T' = T U dom(r), X' = X \ FV(Z), 
T = T(T' , X') and £' = £{T' ', X'). The computability closure of R w.r.t. a precedence 
and a status assignment stat compatible with >jp is the smallest relation \- c C £' xT' xT' 
defined by the inference rules of Figure 4 where, for all x E dom(r), t x = xT and x f , 
and where 5 : T g ^> c A means that, for all y E dom(r g ), A \- c xS : xT g S. 

Note that the computability closure can easily be extended by adding new inference 
rules. Then, for preserving strong normalization, it suffices to complete the proof of 



Frederic Blanqui 30 
Fig. 4. Computability closure of R = (fl — > r, T,p) with / : (x : T)U and 7 = {a; 1— > /} 
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Theorem 67 where we prove that the rules of the computability closure indeed preserve 
computability. 

Definition 26 (Well-formed rule) R is well-formed if: 

- r h Zp : (7 7 p, 

-Vie dom(r), Eli, Zj : T i7 >* a; : aT", 

- dom(p) CFV(Z)\dom(r). 

For instance, consider the rule: 

app p (cons x n £) n' £' — > cons a; (n + n') (app n £ n' £') 

with r = x : nat,n : not, I : listn,n' : nat,£' : listn' and p = {p i— ► sn}. We have 
r h Zp : list(p + n')p. For x, we have cons x n £ : listp > p x : not. One can easily check 
that the conditions are also satisfied for the other variables. 

Definition 27 (Computable system) R satisfies the General Schema w.r.t. a prece- 
dence >jp and a status assignment stat compatible with >jf if it is well-formed and if 
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\- c r : Ujp. A set of rules TZ is computable if there exists a precedence and a sta- 
tus assignment stat compatible with >jr for which every rule of TZ satisfies the General 
Schema w.r.t. and stat. 

To summarize, the rule (I — » r, F, p) is well-typed and satisfies the General Schema if: 

- r h lp : U 1P , 

- VA, a, T, if A h la : T then a : T A and a j per, 
-Vie dom(r), 3i, ^ : T i7 >* a; : xT, 

- dom(p) CFV(0\dom(r), 

- \- c r :U-fp. 

Because of the (conv) rule, the relation may be undecidable. On the other hand, if 
we restrict the (conv) rule to a confluent and strongly normalizing fragment of — >, then \- c 
becomes decidable (with an algorithm similar to the one for h). This is quite reasonable 
since, in practice, the symbols and the rules are often added one after the other (or by 
groups, but the argument can be generalized), thus confluence and strong normalization 
can be shown incrementally. 

For instance, let (T, TZ) be a confluent and strongly normalizing system, / ^ T and TZf 
be a set of rules defining / and whose symbols belong to T 1 = {/}. Then, (J 7 ', TZ) is 
also confluent and strongly normalizing. Thus, we can check that the rules of TZf satisfy 
the General Schema with the rule (conv) restricted to the case where T [pn T'. This 
does not seem a big restriction: it would be surprising that the typing of a rule requires 
the use of the rule itself ! 

We now detail the case of app p (cons x n £) n' £' — > cons x (n + n') (app n I n' £'). 
We take stat app = lex(mul X2); app cons,+; cons >jr nat and + >p s,0 >jr not. 
We have already seen that this rule is well-formed. Let us show that \- c r : list(sn). 

For applying (symb < ), we must show that \- c T cons : *, \- c x : nat, \- c n + n' : nat and 
\- c app n I n' £' : list(n + n'). The first assertions follow from the fact that the same 
judgements holds in h without using app. Hence, we are left to prove the last assertion. 

For applying (symb = ), we must show that \- c T app : *, n : nat, \- c t : listn, \- c n 1 : nat, 
\- c £' : listn' and cons x n I : list(sn) [> p £ : listn. The first assertions follow from the fact 
that the same judgements hold in h without using app. The last assertion has already 
been shown when proving that the rule is well-formed. 

5.3. Strong normalization conditions 

Definition 28 Let Q C T . The rewrite system (Q,TZg) is: 

• first- order ii every rule of TZg has an algebraic right hand-side and, for all g G Q, either 
g e T u or g : (x : f)Cv with C G CT D primitive. 

• primitive if all the rules of TZg have a right hand-side of the form [x : T]gu with g a 
symbol of Q or a primitive constant predicate symbol. 

• simple if there is no critical pair between TZg and TZ. 

• small if, for every rule gl — > r G TZg, Vx G FV D (r), 3k x , l Kx = x. 

• positive if, for every g G Q, for every rule I — > r G TZg, Pos(g,r) C Pos + (r). 
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• safe if for every rule (gl — > r, T, p) g 7£g with g : (x : T)U and 7 = {af /}: 
-\/xe FV n (TU), xjp G dom n (r), 
- Vai.ar' £ FV D (f[7), x 1P = x'-yp => x = x' M 

Definition 29 (Strong normalization conditions) 
(AO) All the rules are well-typed. 
(Al) The relation — > = — >tj U — >/3 is confluent on T. 
(A2) There exists an admissible inductive structure. 

(A3) There exists a precedence y on VT U which is compatible with 1Zt>f° and whose 
equivalence classes form a system which is either: 
(p) primitive, 

(q) positive, small and simple, 
(r) computable, small and simple. 
(A4) There exists a partition T\ W of T>T (first- order and higher- order symbols) 
such that: 

(a) {J- u ,1Zu) is computable, 

(b) {Fuj^TZu) is safe, 

(c) no symbol of Tu occurs in the rules of 1Z\ , 

(d) [T\,TZ\) is first-order, 

(e) if TZoj ^ then (Ti.TZi) is non-duplicating, 

(f) — is strongly normalizing on first-order algebraic terms. 

The condition (Al) ensures, among other things, that f3 preserves typing. This condi- 
tion may seem difficult to fulfill since confluence is often proved by using strong normal- 
ization and local confluence of critical pairs (Nipkow 1991). 

We know that —*p is confluent and that there is no critical pair between 1Z and j3 since 
the left hand-sides of rules are algebraic. Miiller (Miiller 1992) showed that, in this case, if 
— »rc is confluent and all the rules of 1Z are left-linear, then — U — >p is confluent. Thus, 
the possibility we have introduced of linearizing some rules (substitution p) appears to 
be very useful (see Definition 3). 

In the case of left-linear rules, and assuming that —*k-l is strongly normalizing as it is 
required in (f), how can we prove that — ► is confluent? In the case where —>-r.i is non- 
duplicating if 7Z U 7^ 0, we show in Theorem 64 that —>-r.i U —^n^ is strongly normalizing. 
Therefore, it suffices to check that the critical pairs of 1Z are confluent (without using 
any /3-reduction) . 

In (A4), in the case where TZ^ ^ 0, we require that the rules of TZi are non-duplicating. 
Indeed, strong normalization is not a modular property (Toyama 1987), even with con- 
fluent systems (Drosten 1989). On the other hand, strong normalization is modular for 

W All this means that 7p is an injection from FV D (TC) to dom D (r). 
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disjoint and non duplicating systems (Rusinowitch 1987). Here, TZ\ and IZ^ are not dis- 
joint but hierarchically defined: by (c), no symbol of T u occurs in the rules of In 
(Dershowitz 1994), Dershowitz gathers some results on the modularity of strong normal- 
ization for first-order rewrite systems. It would be very interesting to study the mod- 
ularity of strong normalization in the case of higher-order rewriting and, in particular, 
other conditions than non-duplication which, for example, does not allow us to accept 
the following definition: 

0/y -> 
(s x)/y -> s{(x-y)/y) 

0-y -» 
(s x) — — > s x 
(s x)- (s y) -> x - y 

This system is a duplicating first-order system not satisfying the General Schema: it can 
be put neither in IZi nor in TZ^. Note that Gimenez (Gimenez 1998) has developped a 
termination criterion for the Calculus of Inductive Constructions that accepts this ex- 
ample. 

In (A3), the smallness condition for computable and positive systems is equivalent in 
the Calculus of Inductive Constructions to the restriction of strong elimination to "small" 
inductive types, that is, to the types whose constructors have no other predicate param- 
eters than the ones of the type. For example, the type list of polymorphic list is small 
since, in the type {A : *)A =4> HstA =4> HstA of its constructor cons, A is a parameter of 
list. On the other hand, a type T having a constructor c of type * =>■ T is not small. So, 
we cannot define a function / of type T => * with the rule f(c A) — ► A. Such a rule is 
not small and does not form a primitive system either. In some sense, primitive systems 
can always be considered as small systems since they contain no projection and primitive 
predicate symbols have no predicate argument. This restriction is not only technical: 
elimination on big inductive types may lead to logical inconsistencies (Coquand 1986). 

Finally, in ( A4) , the safeness condition for higher-order symbols means that one cannot 
do matching or equality tests on predicate arguments that are necessary for typing other 
arguments. In her extension of HORPO (Jouannaud and Rubio 1999) to the Calculus of 
Constructions, Walukiewicz (Walukiewicz-Chrza_szcz 2002) requires a similar condition. 
This has to be related to the fact that the polymorphism of CC is essentially parametric, 
that is, a polymorphic function uses the same algorithm at all types (Reynolds 1983). Gi- 
rard already demonstrated in (Girard 1971) that normalization fails if a non-parametric 
operator J : (A : *)(B : *)A => B defined by J A A x — > x is added to system F. See 
(Harper and Mitchell 1999) for an analysis of Girard's J operator. On the other hand, 
the rule map A A [x : A]x I — > I, which does not seem problematic, does not satisfy the 
safeness condition either (note however that the left hand-side if not algebraic) . 

We can now state our main result whose proof is the subject of Section 6: 
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THEOREM: If a CAC satisfies the conditions of Definition 29 then its re- 
— »tc U — >/3 preserves typing and is strongly normalizing. 



duction relation 



In (Blanqui 2001), we prove that most of CIC can be encoded into a CAC satisfying 
our conditions, and that our conditions can also be applied to prove the cut-elimination 
property in Natural Deduction Modulo (Dowek and Werner 1998). But let us give a more 
concrete example: 
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This rewriting system is computable, simple, small, safe and confluent (this can be 
automatically proved by CiME (Contejean et al. 2000)). Since the rules are left-linear, the 
combination with — *p is also confluent. Therefore, the conditions of strong normalization 
are satisfied. For example, for the last rule, take r = A : *, x : A, x' : A, £ : list A, £' : list A 
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and p = {A' h-> A, L UstA}. The rule is well-formed (cons(A' ,x' ,£') : L > p x' : A', 
. . . ) and satisfies the General Schema ({cons{A 1 x, £) : L, cons (A' , x' , £') : L} (> p ) mu i {x : 
A,x' : A'} and {£ : UstAJ' : UstA}). 

However, the system lacks several important rules to get a complete decision proce- 
dure for classical propositional tautologies (Figure 1 in Section 1) or other simplification 
rules on the equality (Figure 2 in Section 1). To accept these rules, we must consider 
rewriting modulo associativity and commutativity and get rid of the simplicity condi- 
tions. Moreover, the distributivity rule P A (Q © R) -> (P A Q) © (P A R) is not small. 
Rewriting modulo AC does not seem to be a difficult extension, except perhaps in the 
case of predicate-level rewriting. On the other hand, confluence, simplicity and smallness 
seem difficult problems. 

From strong normalization, we can deduce the decidability of the typing relation, 
which is the essential property on which proof assistants like Coq (Coq Development 
Team 2002) or LEGO (Luo and Pollack 1992) are based. 

Theorem 30 (Decidability of type-checking) Let T be a valid environment and T 
be □ or a term typable in T. In a CAC satisfying the conditions of Definition 29, checking 
whether a term t is of type T in V is decidable. 

Proof. Since T is valid, it is possible to say whether t is typable and, if so, it is possible 
to infer a type T' for t. Since types are convertible, it suffices to check that T and T" have 
the same normal form. The reader is invited to look at (Coquand 1991; Barras 1999) for 
more details. □ 



6. Correctness of the conditions 

Our strong normalization proof is based on Tait and Girard's method of computability 
predicates and reducibility candidates (Girard et al. 1988). The idea is to interpret each 
type T as a set [T] of strongly normalizable terms and to prove that every term of type T 
belongs to [T] . The reader not familiar with these notions is invited to read the Chapter 
3 of the Ph.D. thesis of Werner (Werner 1994) for an introduction, and the paper of 
Gallier for a more detailed presentation (Gallier 1990). 

It is worth noting several differences with previous strong normalization proofs: 

- The present proof is an important simplification of the proof given in (Blanqui 2001), 
which uses candidates a la Coquand and Gallier (Coquand and Gallier 1990) where 
only well-typed terms are considered. Here, candidates are made of well-typed and not 
well-typed terms. This leads to simpler notations and less properties to be care of. 

- In (Geuvers 1994), Geuvers uses candidates with possibly not well-typed terms too. 
However, the way dependent types are interpreted does not allow this proof to be 
extended to type-level rewriting. Indeed, in this proof, dependencies are simply ignored 
but, if one has a predicate symbol F : nat =>■ * defined by F0 — > nat and F{sn) — > 
nat => nat, then one expects F0 to be interpreted as nat, and F(sn) as nat =>■ nat. 

- In (Werner 1994), Werner uses candidates with (not well-typed) pure A-terms, that 
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is, terms without type annotation in abstractions, in order to deal with 77-conversion, 
whose combination with j3 is not confluent on annotated terms. As a consequence, he 
has to define a translation from annotated terms to pure terms that implies the strong 
normalization of annotated terms. Here, we give a direct proof. 

6.1. Reducibility candidates 
We denote by: 

- SN the set of strongly normalizable terms, 

- WjV the set of weakly normalizable terms, 

- C1Z the set of terms from which reductions are confluent. 

Definition 31 (Neutral terms) A term t is neutral if it is not of the following form: 

- abstraction: [x : T]u, 

- partial application: ft with / G T>T and \t\ < \l\ for some rule // — > r G 7Z, 

- constructor: ft with / : (x : f)Cv and C G CT a . 
Let M be the set of neutral terms. 

Note that, if t is neutral, then tu is neutral and not head-reducible. 

Definition 32 (Reducibility candidates) We inductively define the set IZt of the in- 
terpretations for the terms of type t, the ordering <t on IZt, the element T t e K (l and 
the operation f\ t from the powerset of IZt to IZt as follows. If t 7^ □ and T \f t : □ then: 
-TZt = {0}, < t =C, T t = and A t (») = T t . 
Otherwise: 

- 1Z S is the set of all the subsets R oiT such that: 
(Rl) R C 5 A/" (strong normalization). 

(R2) If t G i? then -►(£) C i? (stability by reduction). 
(R3) HteAf and -^(t) C i? then i G i? (neutral terms). 
Furthermore, < S =C, T s = SAf, A fl (&) = f|» if 3? ^ 0, and A s (0) = T a . 

- TZ/ x .jj\x is the set of functions R from T x IZu to 7^ such that R(u, S) = R(u' ', 
whenever u -> u', T (x:i7)x (u, 5) = T K , /\( x ..u) K ($i)(u, S) = /\k({ R ( u > S ) I ^ e 
and i? < (x:i7 )*: R' iff, for all (u, S), R(u, S) < K R'(u, S). 

Lemma 33 V = {xte T \ x G X ,t e SN) ^ and, for all R G 1Z S , V C R. 

Proof. V 7^ since ^ 7^ 0. Let i? G 7Z S . We prove that arf G R by induction on t 
with ^i cx as well-founded ordering (t G <SA/"). Since xt G A/", it suffices to prove that 
—*{x£) Q R, which is the induction hypothesis. □ 

Lemma 34 (a) If T C* r V then 1Z T = 1Z T > . 
(b) If T h T : s and 9 : T A then TZ T = 1Z T e. 

Proof. 
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(a) By induction on the size of T. If T h T : * then T h T' : * and TZt = {0} = TZt> ■ 
Assume now that T h T : □. If T = * then T' = ★ and ^ T = TZ T ' ■ If = (a; : U)K 
then T' = (x : U')K' with [/ C£ C/' and K C$ >x:U K' . By induction hypothesis, 
IZu = Hjj' and TZk = TZk' ■ Therefore, TZt = TZt> ■ 

(b) By induction on the size of T. If T h T : * then A h T6» : * and TZ T = {0} = TZ T e. 
Assume now that T \- T : □. If T = *, this is immediate. If T = (a; : f7)if then 

= (x : U9)K9. By induction hypothesis, TZjj = TZjje and 7?.^ = TZkb- Therefore, 
TZt = TZt0. 

□ 

Lemma 35 (Completeness of the candidates lattice) (TZt, <t) is a complete lattice 
with greatest element T t and the lower bound of 5ft C TZt given by /\ t (Sft). 

Proof. It suffices to prove that (TZ t ,<t) is a complete inf-semi-lattice and that T t is 
its greatest element. One can easily check by induction on t that <t is an ordering (i.e. 
is reflexive, transitive and anti-symmetric), T t is the greatest element oiTZ t , and At(^) 
is the lower bound of 3? C 7£ t . □ 

Lemma 36 (Smallest element) Let _L O = and _L i+ i=_L,U{i G | ->(*) C _Li}. The 
set _L s =lJ{_Li | i < w} is the smallest element of TZ S : _L S = H^s- 

Proof. Let R £ TZ S . We prove by induction on z that _U C R. For i = 0, this is 
immediate. Assume that IjCfl and let t E -L»+i \ J-j. We have t £ Af and — ►(<) C i? 
by induction hypothesis. Therefore, by (R3), t E R and l s C U for all R £ TZ S . Thus, 
-U C f]TZ s . 

We now prove that _L S £TZ S , hence that _L S = f] TZ S . 
(Rl) We prove that _U C SAT by induction on i. For i = 0, this is immediate. Assume 
that _U C 57V" and let t G -L»+i \ J-j. We have —>(t) C 57V by induction hypothesis. 
Therefore, t G 57V. 

(R2) Let tel s . Since ± = 0, t £ _L i+ i \ ±i for some i. So, -^(t) C _Lj G L s . 

(R3) Let t £ TV with — >(i) C _L S . Since — > is assumed to be finitely branching, — >(t) = 

{ti, . . . , t n }. For all i, there exists ki such that U £ J-k t - Let fc be the max of 

{fci, . . . , k n }- We have —*(t) C _Lfe and thus t G Lfe + i C ± s . 

□ 

6.2. Interpretation schema 

The interpretation ftj of a term t is defined by using a candidate assignment £ for the 
free variables and an interpretation I for the predicate symbols. The interpretation of 
constant predicate symbols will de defined in Section 6.3, and the interpretation of defined 
predicate symbols in Section 6.5. 

Definition 37 (Interpretation schema) A candidate assignment is a function £ from 
X to (J {TZt | t £ T}. A candidate assignment £ validates an environment T or is a 
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T -assignment, written £ |= T, if, for all x G dom(T), x£ G 7Z x r- An interpretation of a 
symbol / is an element of lZ Tf . An interpretation of a set of symbols is a function 
which, to each symbol g G Q, associates an interpretation of g. 

The interpretation of t w.r.t. a candidate assignment £, an interpretation / and a 
substitution 9, is defined by induction on t as follows: 

• Mf e = Tt if t is an object or a sort, 

• \f\ie = 

• Mio = x ^ 

• [{x : t/)^] c % = {t e T | V« e [C/]|, e ,V5 e 7^,tu e Mf^}, 

. [[o ; :f/M^K5) = M| f ^, 

where 8™ = 9 U {x ^ u} and £f = £ U {x S}. In the case where r h i : s, the 
elements of are called computable. A substitution 6* is adapted to a T-assignment 

£ if dom(0) C dom(r) and, for all x G dom(0), ar6> G [arr]£ e . A pair (£, 0) is r-ua/id, 
written £, 9 \= T, if £ |= T and 6* is adapted to £. 

After Lemma 33, the identity substitution is adapted to any F-candidate assignment. 

Lemma 38 (Correctness of the interpretation schema) If T h t : T and £ |= T 

then [t]| e G 7e T . Moreover, if 8 -> 0' then = 

Proof. By induction on T h t : T. 
(ax) [*]| = T* = 5A/" G 7^n and [*]| e does not depend on 0. 
(symb) [/]| g = If <E lZ Tf by assumption on J and [/]| e does not depend on 9. 
(var) does not depend on 9. Now, if x G X* then [x]| e = $ E K T = {0}. 

Otherwise, [a;]| e = x£ G TZt since ^ \=T,x :T. 
(weak) By induction hypothesis. 

(prod) R=[(x: U)V\{ fi = {t G T | e [t/][ e ,VS G ft^.tu G G K s if it 

satisfies the properties (Rl) to (R3): 

(Rl) Strong normalization. Let t G R. By induction hypothesis, [C/]| e G TZ S > for 
some s', and [V]£ S|( ,„ G ft s . Therefore, X C [[/]| jf , and [V]| S;f ,„ C Take 
u = x G Then, tx G [V]| s e and t G SAA. 

(R2) Stability by reduction. Let t G R and i' G ->(t). Let u G [£/]|,0 and 5" G 
TZu- Then, tu G [V]| s a u which, by induction hypothesis, is stable by reduction. 
Therefore, since t'u G -+{tu), t'u G [V]| s e « and t' G i?. 

(R3) Neutral terms. Let t be a neutral term such that —*(t) C i?. Let tt G [t/]| # and 
S 1 G TZjj. Since i is neutral, tu is neutral and, by induction hypothesis, tu G R' = 
{Vjls an if — >(iu) C i?'. We prove it by induction on u with — > as well-founded 
ordering (u G SAT by induction hypothesis). Since t is neutral, to is not head- 
reducible and a reduct of tu is either of the form t'u with t' G — >(t), or of the form 
tu' with u' G — >(tt). In the former case, t'u G i?' by assumption. In the latter case, 
we conclude by induction hypothesis. 
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Assume now that 9 -> 9'. Let R! = [(x : = {t G T|Vu G [[/]£ „„ VS G tu G 

Mjl.e-}- By induction hypothesis, [C7][ e , = p7]f, and [Vl£ Se , u = [V^.. There- 
fore,*/?'^ i?. 

(abs) Let R = [[x : E/]i>]£ e . R(u,S) = {vj^s eu - By induction hypothesis, R(u, S) G 
7£y. Assume now that u — > u'. Then, R(u',S) = Mis fl „/. By induction hypothesis, 

^>x ' a: 

Mis eu> = Mis 9 „. Therefore, i? £ Assume now that — > 6*'. Let i?' = [[x : 

^x > x ^ x ' * 

C/]u]| e ,. i?'(u, S) = M^s e ,u- By induction hypothesis, R'(u, S) = R(u, S). Therefore, 
R = R'. 

(app) Let R = [iw]^ = I M H|,6>)- By induction hypothesis, [t\^ g G R(x-.u)v and 

[it]| d G 7?.(7- Therefore, G 7£y = 7?v{a;i-> u } by Lemma 34. Assume now that 
9 ->■' 0'. Then, = = M^/^', Mf,0')- By induction hypothesis, = 

[t]| g and [«]| g, = Finally, since is stable by reduction and u# — >* 

we have R — R'. 

(conv) By induction hypothesis since, by Lemma 34, TZt = R-T' ■ 

□ 

Lemma 39 Let / and /' be two interpretations equal on the predicate symbols occurring 
in t, £ and £' be two candidate assignments equal on the predicate variables free in t, 
and 9 and 9' be two substitutions equal on the variables free in t. If T h t : T and £ |= T 
then [t]£ fl , - [t]| >9 . 

Proof. By induction on t. □ 

Lemma 40 (Candidate substitution) IfrhiiT, erir-^A and £ |= A then, for all 
0, Mie = We,,* with = IMle and £' \= T. 

Proof We first check that £' |= T. Let x G dom(r). x£' = {xaj^.g. By Lemma 38, 
x£' G T^-xiv since A h xct : xr<r and £ |= A. By Lemma 34, TZ x r a = R- X v since T \- xT : s x 
and ct : T ~» A. We now prove the lemma by induction on t. If i is an object then ta 
is an object too and e = = [i]|/ i<T 0- If t is not an object then ta is not an object 
either. We proceed by case on t: 

• lMle=If = lf¥ce- 

• Mf, e = ^' = Mf>*- 

• Let R = [(x : t/a)^]^ = {t G T | G [t/(r]|, 9 ,V5 G ft^ - Ku, tu G [W]^,} 
and R' = [(x : L^lfv* = {t G T | G [E/]| ve ,VS G R v ,tu G 

By induction hypothesis, [Ua\\ fi = [E/]| >e and iVaf^^ = {V} 1 ^ a{e ^ witn = 

[ycr\ t s fi u. Since ct(0£) = (<7<9)£ (x £ dom(cr) U dom(<9) U FV(cr)) and £" = £'f (x £ 
dom(a) U FV(cr)), we have i? = R' . 

• Let i? = [[x : t/cr]wcr]^ and J?' = [[x : U]v]^ i(re . By Lemma 34, R and i?' have the 
same domain T x Rjj and the same codomain TZv ■ Moreover, R(u,S) = [wcrH s ffu 

^>x ' x 

and R'(u,S) = [w]|,s By induction hypothesis, R(u, S) = M^" a-(e u ) V^" = 

lyaj 6 s t gu. Since cr(^) = (a9) u x and £" = , we have R = R' . 
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• Let R = [W]£ 9 = M^wO, K]^) and R' = = 1*1^(^0, H( >9 ). 

By induction hypothesis, = [i]|' i<7 and [ucr]| e = tT6) . Therefore, R = R' . 

□ 

6.3. Interpretation of constant predicate symbols 

Like Mendler (Mendler 1987) or Werner (Werner 1994), we define the interpretation of 
constant predicate symbols as the fixpoint of some monotonic function on a complete 
lattice. The monotonicity is ensured by the positivity conditions of admissible inductive 
structures (Definition 20). The main difference with these works is that we have a more 
general notion of constructor since it includes any function symbol whose output type is a 
constant predicate symbol. This allows us to define functions and predicates by matching 
not only on constant constructors but also on defined symbols. 

Definition 41 (Monotonic interpretation) Let I be an interpretation of C : (x : T)*, 
a = (t, S)§§ and a' = (P, S') be arguments of I. Let a <j a' iff t = P , 5, < S[ and, for all 
j ^ i, Sj = S'j. We say that I is monotonic if, for all i G Mon(C), a <, a' => 1(a) < I(a'). 

We define the monotonic interpretation I of C T u by induction on >c (A2). Let C G 
CT U and assume that we already defined a monotonic interpretation K for every symbol 
smaller than C. Let I (resp. X m ) be the set of (resp. monotonic) interpretations of 
{D e CT a | D= C C}, and < be the relation on X defined by J < V iff, for all D = e C, 
Id < Td I' d - For simplicity, we denote ltj K[JI by ft] 1 . 

Lemma 42 (X m , <) is a complete lattice. 

Proof. First of all, < is an ordering since, for all D =c C, < TD is an ordering. 

The function I T defined by ij, = T TD is the greatest element of X. We show that 
it belongs to X m . Let D = c C with D : (x : T)U , i £ Mon(L>) and a <i a'. Then, 
ll{ci) = T u = ll{a"). 

We now show that every part of X m has an inf. Let 3 C X m and I A be the function 
defined by l£ = /\ TD (5Rd) where = {I D \ I e 3}. We show that 7 A e X m . Let D = c C 
with D : (x : f)U, i <E Mon(D) and a < 2 a". Then, l£(a) = f\u{lD{a) I £ S} and 
I D {a') — /\ij{Id{o-') I / G 3}. Since each Id is monotonic, Id{o) <u Id{o.')- Therefore, 

I D —Tn 2 D- 

We are left to show that I A is the inf of 3. For all I G 3, I A < I since, for all D =c C, 
Id is the inf of Assume now that there exists /' G X m such that, for all I G 5, 
I' < I. Then /' < I A since l£ is the inf of 5R D . □ 

Definition 43 (Interpretation of constant predicate symbols) Let ip be the func- 
tion which, to I G X m , associates the interpretation f 1 G I™ such that (p D (t,S) is the 
set of terms u G SAf such that if u reduces to fu with / : (y : U)Dv and |u| = |y| then, 

For simplicity, we write (t, S 1 ) instead of (ti, Si), . . . , (t n , S„). 
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for all j G Acc(/), Uj G with 8 = {y ^ u} and y£, = S Ly . We show hereafter that 

ip is monotonic. Therefore, we can take / = lfp(^), the least fixpoint of ip. 

Since f\){t, S) does not depend on t, we may sometimes write Id(S) instead of Io(t, S). 
The aim of this definition is to ensure the correctness of the accessibility relations (Lemma 
53): if fu is computable then each accessible Uj is computable. This will allow us to ensure 
the computability of the variables of the left hand-side of a rule if the arguments of the 
left hand-side are computable, and thus the computability of the right hand-sides that 
belong to the computability closure. 

Lemma 44 ip 1 is a well defined interpretation. 

Proof. We first prove that ip 1 is well defined. The existence of t y is the hypothesis (16). 
The interpretations necessary for computing [c7j]j ; e are all well defined. The interpreta- 
tion of constant predicate symbols smaller than D is K. The interpretation of constant 
predicate symbols equivalent to D is /. By (14) and (15), constant predicate symbols 
greater than D and defined predicate symbols do not occur in Uj . Finally, we must make 
sure that £ \= T where T is the environment made of the declarations yi : U~i such that 
yi G FV (Uj) for some j. Let y G dom(r). We must prove that y£ G !Z y r- Assume that 
D : (x : T)U . Then, y£ = S Ly G TZt, ■ Let 7 = {f ^ v}. Since 7 : Tjj ~» Tf, by Lemma 
34, K Tlv = K T ^. By (16), v ly = y. So, Y s h y : T Lyl and T Lyl C* Ff yT. Therefore, by 
Lemma 34, Ti-T Ly -y — Ti-yT and y£ G lZ y r- 

We now prove that ip^ G 1Z TD . It is clearly stable by reduction since it does not depend 
on t. Furthermore, R = Ppit, S) satisfies the properties (Rl) to (R3): 
(Rl) Strong normalization. By definition. 

(R2) Stability by reduction. Let u G R and u' G —»(«)• Since u G SAT, u' G SAf. Assume 
furthermore that u' —>* fu with f : (y : U)Dv. Then, u — »* fu. Therefore, for all 
j G Acc(/), Uj G pjj^e and u' G R. 

(R3) Neutral terms. Let u be a neutral term such that — >(u) G R. Then, u G SAf. 
Assume now that u — >* fu with / : (y : U)Dv. Since u is neutral, u ^ fu and there 
exists u' G — >(u) such that u' — ►* fu. Therefore, for all j G Acc(/), Uj G [£7j]£,e and 
u G R. 

□ 

Lemma 45 Let < + = <, <~=> and £ < x £' iff xt; < x£' and, for all y ^ x, y£ = y£' . If 
/ is monotonic, £ < x £' , Pos(x, t) C Pos^t), V h t : T and £, £' \= T then < 5 

Proof. By induction on t. 

• Ml — x £ — X C — Mf' an d <*> = + necessarily. 

• h]io = vZ = v? = [y] I e'e (y^ x )- 

• Let R= [Ftllg and R' = i? = I F (a) with a; = (ij0, [U\{ fi ) and i?' = J F (a') 
with a' t = (U6, lUj^g). Pos'(Ft) = I 5 = +}U U{ll*1-*2.Pos <5 (t J ) | i G Mon(F)}. If 
i G Mon(F) then Pos(x,ti) C Pos* 5 ^) and, by induction hypothesis, < 5 [ii]|/ 
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Otherwise, Pos(a;, U) — and ftij^ g — {til? $■ Therefore, in both cases, R < s R' since 
If is monotonic. 

• Let R = l(x : U)V\\ 9 and R' = [(x : U)V\\, g . R = {t G T | Vw G |[E/]£ e ,VS G 
Ku,tu e iV%s^J- R' = {t G T | Vu G pj^ 9 ,VS G ft^.tu G M^, e J- Since 
Pos^x : C/)F) = l.Pos _5 (?7) U 2.Pos ,5 (T/), Pos(a;, U) C Pos~ s {U) and Pos(:r, V) C 
Pos 5 ^). Therefore, by induction hypothesis, [t/]| e <" 5 [[/]^ e and [V]| s < 5 
M^s^n- So, i? < s R'. Indeed, if (5 = +, t G i? and u G C [t/]^ "then 
to £ [V]^ iff C [V]^ Sf) „ and t G R'. If 5 = -, t G i?' and u G [f7]| C [J7]|, e then 
to G [V]^' J„ C \V\\s fi l and t £ fl. 

• Let R — {[x : U]v]^ g and R' = |[x : t/juj^e- i? and R' have the same domain 
T x 7^[/ and the same codomain TZy- R(u, S) = [u]| s and S) = [u]|, s e „- Since 
Pos (5 ([a; : /7]u) = 2.Pos <5 (u), Pos(x,v) C Pos <5 (w). Therefore, by induction hypothesis, 
fl(u, 5) < 5 R'(u, S) and i? < 5 R' . 

• Let i2 = [to]|^ and i?' - [to]|, e (t ^ /t). i? = \t\\ fi {vB,S) with 5* = [u]£ 9 . R' = 
\t\[, fi (vB,S') with 5" = {uj^g. Since Pos 5 (to) = l.PoS*(t), Pos(x,t) C Pos 5 (i) and 
Pos(x,u) = 0. Therefore, S = S' and, by induction hypothesis, [t]| e < 5 e . So, 
i? < 5 R'. 

□ 

Lemma 46 if 1 is monotonic. 

Proo/. Let D = c C with D : (x : f)U, i G Mon(7>) and a < l a' with a = {t,S) 
and a' = (t,S'). We have to show that <^(a) C ^-,(a'). Let u G (^(a). We prove 
that u G <^-,(a'). First, we have u G <SA/\ Assume now that u reduces to fu with 
/ : (y : U)Dv. Let j G Acc(/). We have to prove that Uj G [C^]{',e with 8 = {y ^ u} 
and, for all y G FV D ([/,), y£' = S' L . Since it G ^(a), we have G [t/j]^,e with, for 
all y G FV (Uj), y£ = S Ly . If, for all y G FV (Uj), i y ^ i, then £ and £' are equal on 
FV n ([/j). Therefore, [ZT,-]^ = [Uj]z>,e and it,- G [fT,-]^. If there exists y G FV D (c^) 
such that = i then £ < y By (12), Pos(y, JX,) C Pos + ([/j). Therefore, by Lemma 45, 
<^c(a) C ^(a') and Uj G [C/j]i',0. □ 

Lemma 47 Let / <^ /' iff lp < ^ and, for all G 7^ F, 7<3 = 7^,. If / is monotonic, 
I < F I', Pos(F,t) C Pos 5 (i), T h t : T and £ h T then \t\\ fi < s [t]^. 

Proof. By induction on t. 

• w|, e = t s = 

• Hie =xi= \x\l e . 

• Let R = {Gt\l fi and i?' = {G^'g. R = I G (a) with a, t = {U6, # = ^(^ wit h 

= Pos^(Gt) = {1 1*1 5 = +} U U{l |tVl 2.Pos^(^) | i G Mon(G)}. If 

i G Mon(G) then Pos(7 1 ,t l ) C Pos s (ti) and, by induction hypothesis, < 5 [tj]£ e . 
Otherwise, Pos(F,t 4 ) = and e = Therefore, 7 G (o) < 5 7 G (a') since 7 G is 
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monotonic. Now, if G = F then 5 = + and I G (a) < 7 G (a') = 7 F (a') < I' F (a') = I' G (a'). 
Otherwise, I G (a) < s I G (a') = I' G {a'). 

• Leti2= [(a; : U)V\\ fi and 72' = [(a; : U)V]£ e .R = {t £ T | Vu G p/J^VS £ ftj/.tu £ 
I^lfl.eJ and # ='{* e T | Vu e [tf]£ 9 ,VS e e M^}' Since ^ s {{x ■. 
U)V) = l.Pos _ *(?7) U 2.Pos' 5 (V r ), Pos(F,*7) C Pos _ *(Z7) and Pos(F,V) Q Pos s (V). 
Therefore, by induction hypothesis, [t7]£ e <" 5 [Z7j£ e and [V]| S;9 „ < 5 P^s.^- So, 
Mie < 5 Itjl'.g. Indeed, if S = +, t G R and u G [C/]£ C [[/]| >9 then tu G ^ 
[V]^ i0 « and t G R'.US = -,t € R' and u G [C/]| >9 C [U]*[ e then tu G Wlfs^ Q 
Wl(s,el and t G R. 

• Let 7? = l[x : C^]w]| j9 and R' = [[x : U}vj^' g . R and R' have the same domain 
T x 7?.;7 and same codomain IZv- R(u,S) = [vj^s 0U and R'(u,S) — [«]|s e«- Since 
Pos' 5 ([x : C/]u) = 2.Pos <5 (w), Pos(F, v) C Pos 5 (w). Therefore, by induction hypothesis, 
7?(u, 5) < 5 5) and 7? < 5 R' . 

• Let 7? = and 72' = (t + ft). R = [t]l e (u6,S) with S = R' = 
[t]£j(i*0,S") with 5" = [u]£ g . Since Pos tf (tu) = l.Pos'(t), Pos(F.t) C Pos*(i) and 
Pos(7» = 0. Therefore, S = S' and, by induction hypothesis, e < 5 So, 
R < s R'. 

□ 

Lemma 48 ip is monotonic. 

Proof. Let I, I' G P™ such that I < I'. We have to prove that, for all D =c C, <p T D < 
ipp, that is, ipjj(a) C <^£,(a) for all a. Let u G <^(a). We prove that u G (p^ia). First, we 
have it £ SAf. Assume now that u reduces to fu with / : (y : U)Dv. Let j G Acc(/). We 
have to prove that Uj £ [C/j]| e with 6 = {ij ^ u} and, for all w £ FV n (Uj), y£ = S Ly . 
Since u £ <^£>(a), we have Uj £ [C/j]| 9 . Since j £ Acc(/), by (13), for all S =c 7), 
Pos(.E, Uj) C Pos + (t r :) ). Now, only a finite number of symbols E =c D can occur in Uj, 
say • • • , Let 7° = 7 and, for all i < n, P+ 1 = P D if D ^ 75 4 , and 7^ +1 = 7^ 

otherwise. We have 1 — 1° < Eo 7 1 < El . . .7™ _1 <b„_! 7™ = I'. Hence, by Lemma 47, 
lUjlie^Pjjle and uG^ia). □ 

Since (I™, <) is a complete lattice, ip has a least fixpoint 7 which is an interpretation 
for all the constant predicate symbols equivalent to C. Hence, by induction on >e, we 
obtain an interpretation 7 for all the constant predicate symbols. 

In the case of a primitive constant predicate symbol, the interpretation is simply the 
set of strongly normalizable terms of this type: 

Lemma 49 (Interpretation of primitive constant predicate symbols) If C is a 

primitive constant predicate symbol then I G — T TC . 

Proof. Since I G < T TC , it suffices to prove that T TC < I G . Since, by assumption, 
h t g : t g is of the form (x : T)*. If a are arguments of T TC then T TC (a) = = 5AA 
and it suffices to prove that, for all u £ SAf, C primitive and a arguments of I G , u £ I G (a), 
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by induction on u with — * U > as well-founded ordering. Assume that u — >* fu with 
/ : (y : U)Cv. If u —f + fu, we can conclude by induction hypothesis. So, assume that 
u = fu. In this case, we have to prove that, for all j G Acc(/), Uj G [fj]^,e with 
= {y ^ u] and, for all y G FY (Uj), y£ = 5 ty . By definition of primitive constant 
predicate symbols, for all j G Acc(/), Uj is of the form Dw with D primitive too. Hence, 
= Id(o>') with o! i = (u>i6, [w^J^g). Since Uj G SN ', by induction hypothesis, 
uj G Id(o,'). Therefore, u £ Ic(a). □ 



6.4. Computability ordering 

In this section, we assume given an interpretation J for defined predicate symbols and 
denote [T] /UJ by [T]. The fixpoint of the function ip defined in the previous section can 
be reached by transfinite iteration from the smallest element of T m , J-c(t, S) = _L*. Let 
I a be the interpretation reached after a iterations of ip. 

Definition 50 (Order of a computable term) The order of a term t G Ic(S), writ- 
ten o c ,gJt), is the smallest ordinal a such that t G Ic(&)- 

This notion of order will enable us to define a well-founded ordering in which recur- 
sive definitions on strictly positive predicates strictly decrease. Indeed, in this case, the 
subterm ordering is not sufficient. In the example of the addition on ordinals, we have 
the rule: 

x + (lira f) — > Urn ([n : nat]x + fn) 

We have a recursive call with (fn) as argument, which is not a subterm of (lim f). 
However, thanks to the definition of the interpretation for constant predicate symbols 
and products, we can say that, if (lim f) is computable then / is computable and thus 
that, for all computable n, (fn) is computable. So, the order of (lim f) is greater than 
the one of (fn): o(lim f) > o(fn). 

Definition 51 (Computability ordering) Let / G T with statf — lex m\ . . .mk- Let 
6/ be the set of tuples (g,£,0) such that g f and £, 9 \= T g . We equip 0/ with the 
ordering z\f defined by: 

. (<?,£, 0) ^ f (g',£,e>) if ^(□^,...,^ m ), cx m0' 1 

• mul f mul j? if {i) (□}) mu i {?}, 

. t □> H if i G SP(f), Tj = Ca, la} it e = [Sl(>,e> = S and o c(§) (t) > o c(S) (t'), 

• t □} t' if i<£ SP(f) and i(->U>) f. 

We equip = (J {0/ | / G J 7 } with the computability ordering □ defined by (f,£,6) □ 
{f'^'Wdf >rf or, f=rf and (f,£,6) □/ (f',Z,6>). 

Lemma 52 The computability ordering is well-founded and compatible with — >, that is, 
if6^e>then(g,Z,e)^(g,Z,e'). 
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Proof. The computability ordering is well-founded since ordinals are well-founded and 
lexicographic and multiset orderings preserve well-foundedness. It is compatible with — > 
by definition of the interpretation of constant predicate symbols. □ 

We check hereafter that the accessibility relation is correct, that is, an accessible sub- 
term of a computable term is computable. Then, we check that the ordering on arguments 
is correct too, that is, if t > R u and t is computable then u is computable and o(t) > o(u). 

Lemma 53 (Correctness of accessibility) If t : T t> p u : U and ta G PV]| „ with a 
as small as posssible then a = b + 1 and ua G [f p]| a . 

Proof. By definition of > p , we have t = fu, f : (y : U)Cv, C € CT a , u = Uj, 
j G Acc(/), Tp = Cvjp, Up — Ujjp, 7 = {y i— ► u} and no D =c C occurs in up. Hence, 
ta G \C&ip\£ a = I£(S) with S = l&yp] 1 ^. Assume that a = 0. Then, = _L*. 

But fu £ _L* since fu is not neutral (see Lemma 36). So, a ^ 0. Assume now that a 
is a limit ordinal. Then, I%{S) = \J{Ic{S) \ b < a} and ta G J£(S) for some b < a, 
which is not possible since a is as small as possible. Therefore, a = b + 1 and, by 
definition of I c , u 3 a G {U^^ with = S ly . By (16), v Ly = y. Thus, y? = hnp] 1 ^. 
Now, since no D =c C occurs in up, y£' — {yjpl^- Hence, by candidate substitution, 
\U,\?, lpa = \UilP\?,a and ™ e PplC since Up = U jlP . □ 

Lemma 54 (Correctness of the ordering on arguments) Assume that t : T > R 
u : U as in Definition 24, ta G p 1 /?]^ and ua G [£/<% i<T . Then, ua G [C/p]^,<T and 
°c(S)( t<J ) > °c(S)( ua ) with & = ¥lPh,<?- 

Proof. Since t : T t>+ x : V, Tp = Cvjp. Hence, ta G /£(<S) with a = o c ^(ta). By 
Lemma 53, a = b + 1 and xa G [Vp]^. Since no D — c C occurs in US, [^<%,<r = {USj 1 ^. 
Since Vp = (y : U)Cw and ua G [CM]^, ua G [Cwfg 3ct with R = {uj 1 ^. By candidate 

^y ' a v 

substitution, [Cwf^ = {CwSf^ = I^(S') with S' = [wSj 1 ^. Since wS\ c = vjp\ c , 

^y ' y 

S' = [v7p]| i0 .. Since no D =c C occurs in v-fp, S' — S. Therefore, ua G Ic(S) and 
°c(§)( t(J ) > °c(S)( Mcr )- n 

6.5. Interpretation of defined predicate symbols 

We define the interpretation J for defined predicate symbols by induction on >- (A3) . Let 
F be a defined predicate symbol and assume that we already defined an interpretation 
K for every symbol smaller than F. There are three cases depending on the fact that 
the equivalence class of F is primitive, positive or computable. For simplicity, we denote 

[T J/U*U7 by | T J7 

6.5.1. Primitive systems 

Definition 55 For every G ~ F, we take Jq = T TG . 
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6.5.2. Positive, small and simple systems Let J be the set of interpretations of the 
symbols equivalent to F and < be the relation on J denned by J < J' if, for all G ~ F, 
Jg <t g J'g- Since (R- TG ,< TG ) is a complete lattice, it is easy to see that {J, <) is a 
complete lattice too. 



Definition 56 Let ip be the function which, to J £ J and G ~ F with G : (x : T)U, 
associates the interpretation ipQ defined by: 

' {rjj a if f G WTVn Cft, F|= f<r and (Gf-» r, T,p) e 1Z 

v T;7 otherwise 

where x£ = 5 Ka .. We show hereafter that ^ is monotonic. So, we can take J = l£p(-0). 



Lemma 57 is a well defined interpretation. 

Proof. By simplicity, at most one rule can be applied at the top of G(t j). The existence 
of k x is the smallness condition (q). We now prove that ipQ G 7?. rG . By (S3), T h r : £/7p 
with 7 — {x i— ► f}. Now, we prove that £ |= T. Let a; £ FV a (r), x£ = S Kx G 7£ XCT since 
S Kx G and, by smallness, i Kx = Z Kx cr = xa . Therefore, by Lemma 38, [r]| iCr G 

Ttu-yp = T^u- We are left to check that ipQ is stable by reduction. Assume that F— > F. By 
(Al), is confluent. Therefore, {f} C WA/" iff {?} C WA/\ Furthermore, if {t} C WA/", 
then f |= ? | and V G (**. §) = ^'h (** » ^) • □ 



Lemma 58 ^ is monotonic. 

Proof. As in Lemma 48. □ 



6.5.3. Computable, small and simple systems Let V be the set of tuples (G,t,S) such 
that G ~ F, and {x h-> <?}, {£ f} |= T G . We equip 2? with the well-founded ordering 
(G, t, S) (<?',?,£') iff (G,{f i — ► i — ► F}) □ (G',{x i — ► 5'},{f i — ► ?}) (see 
Definition 51). 

Definition 59 We first define J' on V by induction on zi^ . Let G ~ F with G :{x:f)U. 
, - - / Wf.l if *i= ^ and r > r, p) G 7^ 

[T[/ otherwise 

where ai£ = S Ko: . Then, J G (F,£) = ^ G (F|,S) if Fg WJVnCK, and J G (t,S) = T v 
otherwise. 



Lemma 60 J is a well defined interpretation. 

Proof. As in Lemma 57. The well-foundedness of the definition comes from Lemma 68 
and Theorem 67. In Lemma 68, we show that, starting from a sequence in T>, we can 
apply Theorem 67 where we show that, in a recursive call G'F, (G,F,S) □ (G',F,S') for 
some S'. □ 
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6.6. Correctness of the conditions 

Definition 61 (Cap and aliens) Let C be an injection from classes of terms modulo ^* 
to X . The cap of a term t w.r.t. a set Q of symbols is the term capg(t) = t[xi] Pl . . . [x n ] Pn 
such that, for all i, Xi — ((t\ Pi ) and t\ Pi is not of the form gt with g G Q. The f| Pi 's are 
the aliens oft. We denote by aliensg(t) their multiset. 

Lemma 62 (Pre-computability of first-order symbols) If / G T\ and t G 5AA then 

fie SAf. 

Proof. We prove that every reduct t'oft= ft is in SAf. Hereafter, cap = cap^ . 

Case 1Z U 7^ 0. By induction on (aliens(t),cap(t))\ cx with ((— > U >) m ui> — *"?ii)iex as 
well-founded ordering (the aliens are strongly normalizable and, by (f), —>Ki is strongly 
normalizing on first-order algebraic terms). 

If the reduction takes place in cap(t) then this is a Tvli-reduction. By (c), no symbol 
of Tuj occurs in the rules of H\. And, by (d), the right hand-sides of the rules of TZ\ are 
algebraic. Therefore, cap(t) — ►•r.j cap(t'). By (e), the rules of IZi are non duplicating. 
Therefore, aliens(t) > mu i aliens(t') and we can conclude by induction hypothesis. 

If the reduction takes place in an alien then aliens(t) (— > Ut>) mu i aliens(t') and we 
can conclude by induction hypothesis. 

Case IZu, = . Since the ti's are strongly normalizable and no (5- reduction can take 
place at the top of t, t has a /3-normal form. Let cap(3(t) be the cap of its /3-normal form. 
We prove that every immediate reduct t' of t is strongly normalizable, by induction on 
(f3cap(t),aliens(t))i ex with (— >th , (— ► U >) mu i)iex as well-founded ordering (the aliens are 
strongly normalizable and, by (f), — >Ki is strongly normalizing on first-order algebraic 
terms). 

If the reduction takes place in cap{t) then this is a Hi -reduction. By (d), the right 
hand-sides of the rules of Hi are algebraic. Therefore, t' has a /3-normal form and 
cap(3(t) -^K! cap(3(t'). Hence, we can conclude by induction hypothesis. If the reduc- 
tion is a /3-reduction in an alien then cap(3{t) = cap/3(t') and aliens(t) (— ► U >) mu i 
aliens(t'). Hence, we can conclude by induction hypothesis. 

We are left with the case where the reduction is a IZi -reduction taking place in an 
alien u. Then, aliens(t) — > mu i aliens(t'), cap/3(t) — >^ cap/3(t') and we can conclude by 
induction hypothesis. To see that cap(3(t) — >^ cap/3(t'), it suffices to remark that, if we 
/3-normalize u, then all the residuals of the 7\Li-redex are still reducible (left and right 
hand-sides of first-order rules are algebraic) . □ 

Lemma 63 (Computability of first-order symbols) For all / € F\, f G [t/]. 

Proof. Assume that / : (x : f)U. f G [17] iff, for all iyvalid pair (£,0), fx6 G R = 
\U\$,9- For first-order symbols, U — * or U — Cv with C primitive. If U = * then 
R = T„ = SM. liU = Cv with C : (y : U)V then R = I c (a) with a, = (u;0, H^e). 
Since C is primitive, by Lemma 49, Ic = T rc and R = Ty. By assumption, h tc : □ 
and \- Tf : Sf. After Lemma 11, s/ = * and V = *. Therefore, R = = SAf. Now, 
since £,6 \= Tf, we have XiO G [Tj]^^ C SAf by (Rl). Hence, by pre-computability of 
first-order symbols, fx6 G [t/]^,e. D 
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Theorem 64 (Strong normalization of The relation -^tz—~^iZi U -^n^ is 

strongly normalizing. 

Proof. By induction on the structure of terms. The only difficult case is ft. If / is 
first-order, we use the Lemma of pre-computability of first-order symbols. If / is higher- 
order, we have to show that, if t G SAfn, then t = ft G SAfjz, where SAfu is the set of 
terms that are strong normalizable w.r.t. 

Let w(t) = if £ is not of the form gu and w(t) = 1 otherwise. We prove that 
every reduct t' oft is strongly normalizable by induction on (f,w(i),t,t) with (>jr, (>n 
)statj.,(>U -^n)stat f , (— >ii)tex)iex as well-founded ordering. Assume that t 1 = ft* with 
U — >r jz t\ and, for all j ^ i, tj = t'y Then, i (— >7?.)iex i 1 and w(ti) > w(t'^) since if ti is 
not of the form gu then t\ is not of the form gu either. 

Assume now that there exists fl — ► r € such that t = la and i' = rer. By (a), 
r belongs to the computability closure of I. It is then easy to prove that ra is strongly 
normalizable by induction on the structure of r. Again, the only difficult case is gu. But 
then, either g is smaller than /, or g is equivalent to / and its arguments are smaller 
than I. If k >i Uj then k t> Uj and FV(uj) C FV(Zi). Therefore Ua t> UjO and w{U<7) = 
1 > zu(uj<j). If now Zj >2 Uj then Uj is of the form xv and m(li<j) — 1 > zu(ujcr) = 0. □ 

Lemma 65 (Invariance by reduction) If T h i : T, i — > i', £ |= T and t0 G WW then 
[the = Who- 

Proof. By induction on t. litis an object then t' is an object too and = = e- 
Otherwise, we proceed by case on t and t': 

• Let R = iFlaj^o and R' = [m]| j9 with (Fl -> r,T ,p) E K. R = I F (a) with a, = 
(kcrO, llicrj^.g). By (A3), there are two sub-cases: 

- F belongs to a primitive system. Then, Ip = T TF and r is of the form [x : T] Gu 
with G ~ F or G a primitive constant predicate symbol. In both cases, Iq = T TG . 
Therefore, R = R'. 

- F belongs to a positive or computable, small and simple system. Since 
Ua9 G WW, by (Al), UaO has a unique normal form ti. By simplicity, the symbols 
in I are constant. Therefore, U is of the form U9' with a9 — >* 8', and R = frj^^' 
with xl;' — p Kx cr] ?i fii. By smallness, l Km — x and x^ = [xerj^g. By Lemma 38, 

= Wc',<t6»- By (S4), a : r ~» T. Therefore, by candidate substitution, i? = R' . 

• Let i? = \[x : U]v uj^e and R' = [v{x ^ u}] te . Let S = R = {[x : 
U]v\{u6, S) = H £ s i9 / with 6»' = 6>f = {a; h-> u}6>. Since {x h-> u} : (T.a; : 17) -» T, by 
candidate substitution, R' — Ivj^s g, = R. 

• Let R = {tuj^e and R' = [tV]^ with t ^ t' and in u'. i? = N^,e) and 
i?' = lt%.g{u'e, [u'fc.s). By induction hypothesis, [%, 9 = [*'] £ , e and [i»] c>9 = [u'] € , 9 . 
Finally, since candidates are stable by reduction, R = R' . 

• Let R = {[x : U]vj^g and R' = {[x : U']v'he wit h U -> U' and v -> v' . Since 
IZu — lZu> , R and R' have the same domain T x 7\L;y and codomain IZy , where V is 
the type of v. R(u,S) — [uj^s and R'(u,S) = [d']^s j«. By induction hypothesis, 

= R'(u,S). Therefore," i?°= fl'. 
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• Let R = l(x : U)Vj^g and R' = \{x : U')V%g. R = {t G T | Vw G [C% 9 ,VS G 
Hu,tu e lV\ ( s tes } and R' = {t e T | Vw g [U%, g ,VS e n v ,tu e \V%s^}. By 
induction hypothesis, {U]^g = {U'j^g and = [V%s >e ^. Therefore, R = R' . 

□ 

Lemma 66 (Pre-computability of well-typed terms) Assume that, for all /, / G 
[r/]. If T h t : T and £, (9 |= T then t0 G [T] 4 , e . 

Proof. By induction on T h t : T. 
(ax) *<? = * G [D]^ = T n = 57V. 
(symb) By assumption, 
(var) x9 G [Tj^e since 9 is adapted to £. 
(weak) By induction hypothesis. 

(prod) We have to prove that (x : U8)V9 G \s%.e = T s > = SAf. By induction hy- 
pothesis, U9 G [s] € ,e = 57V. Now, let £' = ^J^. Since £',9 ^ T,x : U, by induction 
hypothesis, V6 G [s']e,e = SAf. 

(abs) Let i = [x : We have to prove that tO G \{x : U)V\^ t g. First note that 

U6,v6 G 57V. Indeed, let £' = Since £',0 |= r,x : C/, by induction hypothesis, 

v0 G Furthermore, by inversion, r h U : s for some s. So, by induction 

hypothesis, U9 G [s]^,e = 57V. Now, let u G [Uj^g C 57V and 5 G 72.^. We must prove 
that G S" = [Vj^s^u. Since t9u is neutral, it suffices to prove that — >(i0w) C 5'. 
We prove it by induction on (U 0, v6, u) with — >i ex as well-founded ordering. We have 
t9u — > v0{:r i— > u} = u0'. Since £f,0" h F,a; : £/, by induction hypothesis, u0' G 5'. 
For the other cases, we can conclude by induction hypothesis on (U9,v9,u). 

(app) We have to prove that t6u9 G \V{x i— ► u}]^. By induction hypothesis, i0 G 
[(x : f7)V] ? ,<? and w0 G [£%<?. Since 5" = [u0]£,e 6 ftt/e = ftt/, by definition of 
[(a; : U)Vj it g, t6u6 G [V^s^, with 0' = 0£ e . By candidate substitution, [V{x i-> 
u >ke = Wh> ,{x^u}6 with = [y{a: ^ ujj^g. Since £' = £f and {x u }0 = 0', 
t9u0 G [^{a; i ► u}j it g. 

(conv) In (Blanqui 2001), we show that adding the hypothesis r h T : s does not change 
the typing relation. Therefore, by induction hypothesis, t9 G [Tj^e, T9 G = T s = 

57V and T'0 G [sj^e = 57V. Hence, by invariance by reduction, [T]^ = [T'J^e and 

tOE{T%g. 

□ 

Theorem 67 (Computability closure correctness) Let (fl — > r, T, p) be a well-formed 
rule with / G f : (x : T)U and 7 = {x 1— > ^}. Assume that 77,70- |= T/, £, cr |= T, 
a;?? = [a:7p]{ jCr , and la G pPy/?]^. Assume also that: 

• V ff <pf, g G [T fl ], 

. V 5 =^ /, if g : (y : C/)V and (/, 77, 7^) □ (g, <?) then G [Vfc», e . 
If A h c t : T and a a' \= T, A then W G [T] a / )<7(7 ,. 

Proof. By induction on A hj; t : T, we prove that taa' G [T , ]^',cra-' as in the previous 
lemma. We only detail the case (symb = ). Let u = y5. By induction hypothesis, uaa' G 
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W ,<?<?' ■ By candidate substitution, there exists £" such that [t^<%£',<T<r' = [C^]c",<5ctct' , 
[W]«',«r' = [V] £ »,w and £" h r s . Therefore, £",<W |= r fl . 

We now prove that (/, r], -fa) □ (5, Saa'). If Zj : Tij >+ Uj : [/j<5. Then, Z, > Uj and 
FV(mj) C FV(Zj). Therefore, Zicr = kaa' > Ujaa' . Assume now that Zj : ^7 > k R uj : UjS, 
k e SP(/) and 7^ = Co. By definition of >|, U = h£ , h : {x 1 : f')Cv, u } = xv! , 
x G dom(r), U : T^f \>+ x : V and Vp = xT = {$ : U')Cw, where 7' = {x" ^ ?} 
and 5' = {{? 1— > u'}. We must prove that [a],, i7CT = [&]£", ,w = S and o c ,g^(li<j) > 
C(S)( U J <7<7 ')- 

Assume that T, = Ct and C/j = Cu. Since k G SP(f), t\c = u\c = a|c- By definition 
of l> p , 7i7P = Cvj'p. Hence, a7p|c = ^t'pIc- By definition of > k R , vj'p\c — wS'\c 
and UjSp = CwS' . Therefore, a^p\c = w8'\c = u5p\c = a5p\c = aS\c since dom(p) C 
FV(Z), FV(J) C dom(A) and dom(A) n FV(Z) = 0. By (S5), [a]„ >70 . = [a]„, 7P<J . Since 
xr\ = [a;7p]4,cr, by candidate substitution, [a]^, 7p( r = [a7p] £,<>•■ So, [a]^ i7CT = [a£]f,cr = 
[a5]^/ jCTCr / = [a]£",<5o- CT '. Now, by induction hypothesis, u'aa' G \U' t(T(T i . Therefore, 
since ha = kaa' G [Ti7p] £jCr = Pi7p]|e,cr<r', by Lemma 54, Ujaa' G \Uj8p\^ and 
°c(R)( l * a ) > °c(R)( u i aa ') where ^ = I^7V]«', CTCT ' =5. □ 

Lemma 68 (Computability of higher-order symbols) For all / G T u , f G [17]. 

/Yoo/. Assume that / : (x : f )[/. / G [r/] iff, for all r>-valid pair (77, 6), fx6 G [C/]^, e . 
We prove it by induction on {{f,r],6),6) with (□, — >)i ex as well-founded ordering. Let 
U = Xi9 and t — ft. By assumption (see Definition 2), for all rule fl-*r£ 1Z, \l\ < 
So, if U ^ Cv with C G CT a then t is neutral and it suffices to prove that —*(t) C 
[t/1,,,9. Otherwise, [t/] r) ,e = /c(a) with a { = (yrf, {vij^e). Since r],0 \= T f , tj G p}]^. 
Therefore, in this case too, it suffices to prove that —>(t) C [[/J^e- 

If the reduction takes place in one U then we can conclude by induction hypothesis 
since reducibility candidates are stable by reduction and □ is compatible with reduction. 
Assume now that there exist (I — ► r, T, p) G 1Z and a such that I — fl and t — la. 
Then, — "fa with 7 = {x I}. Furthermore, by (S5), a [ pa. Hence, by Lemma 38, 
,~ (pa and Pl)),6> — [T , ]jj,7p<t- Now, since rules are well-formed, r h Ip : Ujp. 
Therefore, by inversion, r h hp : T^p and -fp : Tf T. 

We now define £ such that [[/]?), 7 p CT = [t^7p]|,cr and [r]^ :7pCT = [T7/)]^ iff . By safeness 
(b), for all x G FV D (TU), x-yp G dom(r) and, for all x,x' G FV D (TU), x 1P = x'-fp => 
x = x' . Let y G dom D (r). If there exists x G dom(r^) (necessarily unique) such that 
y = xjp, we take yt; = xr\. Otherwise, we take y^ = T y r- We check that £ |= T. If 
y 7^ xjp, yt; = T y r G !Z y r- If y = a^7P then = £77. Since 77 |= T/, xrj G lZ x r f - Since 
7P : Tj ^ T, T h y : xTfjp. Therefore, yr Cp xTfjp and, by Lemma 34, y£ = xr\ G 
^r, = Ti-xTf-yp = ^j/r- So, ^ |= T. Now, by candidate substitution, [t^7p]{,cr = {UJ^ tlpr7 
with a;^' = [a;7p] €l<T . Let a; G FV(TC7). By (b), X7/J = y e dom D (r) and x£ = y£ = xrj. 
Since £' and 77 are equal on FV D (TC7), [J7] £ ', 7(9( t = [C/]t7,7p<t = I^7P]i,cr and [T] £ / ;7(9(7 = 

We now prove that a is adapted to £. Let a; G dom(r). Since rules are well-formed, there 
exists i such that U : T^l >* x : xT and dom(p) C FV(Z) \dom(r). Since ha G [7i7p]{,o-, 
by correctness of accessibility, xa G [aTp]^. Since dom(p) n dom(r) = 0, xTp = xT 
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and xa G [aT 1 ]^. Therefore, a is adapted to £ and, by correctness of the computability 
closure, ru e {U^p}^ = fUj^fi. □ 

Lemma 69 (Computability of well-typed terms) If T h t : T and £, 6 \= T then 

Proof. After Lemmas 63, 66 and 68. □ 

Theorem 70 (Strong normalization) Every typable term is strongly normalizable. 

Proof. Assume that T h t :T. Let x£ = T x r for all x 6 dom(r). Since £ |= T and the 
identity substitution i is adapted to £, t E S = p 1 ]^. Now, either T = □ or T h T : s for 
some s. If T = □ then S = T n = SAf. If T h T : s then 5 € ^ s and S C 5AA by (Rl). 
So, in both cases, i G 57V. □ 



7. Future directions of research 

We conclude by giving some directions of research for improving our conditions of strong 
normalization. 



Rewriting modulo. We did not consider rewriting modulo some equational theories 
like associativity and commutativity. While this does not create too much difficulties at 
the object level (Blanqui 2003, RTA), it is less clear for rewriting at the type level. 

Quotient types. We have seen that rewrite rules on constructors allows us to formalize 
some quotient types. However, to prove properties by induction on such types requires to 
know what the normal forms are (Jouannaud and Kounalis 1986) and may also require 
a particular reduction strategy (Courtieu 2001) or conditional rewriting. 

Confluence. Among our strong normalization conditions, we not only require rewriting 
to be confluent but also its combination with /3-reduction. This is a strong condition since 
we cannot rely on strong normalization for proving confluence (Nipkow 1991; Blanqui 
2000). Except for first-order rewriting systems without dependent types (Breazu-Tannen 
and Gallier 1994) or left-linear higher-order rewrite systems (Miiller 1992; Van Oostrom 
1994), few results are known on modularity of confluence for the combination of higher- 
order rewriting and /^-reduction. Therefore, it would be interesting to study this problem 
more deeply. 

Local confluence. We believe that local confluence is sufficient for establishing strong 
normalization since local confluence and strong normalization together imply confluence. 
But, then, it seems necessary to prove many properties simultaneously (subject reduc- 
tion, strong normalization and confluence), which seems difficult. 

Simplicity. For non-primitive predicate symbols, we require that their defining rules 
have no critical pairs between them or with the other rules. These strong conditions 
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allow us to define a valid interpretation in a simple way. It is important to be able to 
weaken these conditions in order to capture more decision procedures. 

Local definitions. In our work, we considered only globally defined symbols, that is, 
symbols whose type is typable in the empty environment. However, in practice, during a 
formal proof in a system like Coq (Coq Development Team 2002), it may be very useful 
to introduce symbols and rules using some hypothesis. We should study the problems 
arising from local definitions and how our results can be used to solve them. Local ab- 
breviations are studied by Poll and Severi (Poll and Severi 1994) and local definitions by 
rewriting are considered by Chrzaszcz (Chrzqszcz 2000). 

HORPO. For higher-order definitions, we have chosen to extend the General Schema 
of Jouannaud and Okada (Jouannaud and Okada 1997). But the Higher-Order Recur- 
sive Path Ordering (HORPO) of Jouannaud and Rubio (Jouannaud and Rubio 1999), 
which is an extension of RPO to the simply typed A-calculus, is naturally more power- 
ful. Walukiewicz recently extended this ordering to the Calculus of Constructions with 
symbols at the object level only (Walukiewicz 2000; Walukiewicz-Chrz^szcz 2002). The 
combination of the two works should allow us to extend RPO to the Calculus of Con- 
structions with type-level rewriting too. 

■q- Reduction. Among our conditions, we require the confluence of — >^ U —*p. Hence, 
our results cannot be directly extended to 77-reduction, which is well known to create 
important difficulties (Geuvers 1993) since — > J g U — is not confluent on not well-typed 
terms. 

Non-strictly positive predicates. The ordering used in the General Schema for com- 
paring the arguments of function symbols can capture recursive definitions on basic and 
strictly-positive types, but cannot capture recursive definitions on non-strictly positive 
types (Matthes 2000). However, Mendler (Mendler 1987) showed that such definitions 
are strongly normalizing. In (Blanqui 2003, TLCA), we recently showed how to deal with 
such definitions in the Calculus of Algebraic Constructions. 
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